Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_12.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-12.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: memmove12 * BadSink : Copy int array to data using memmove13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_12_bad()22{✓ 23 int * data;✓ 24 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));✓ 25 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));✓ 26 if(globalReturnsTrueOrFalse())27 {28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination29 * buffer in various memory copying functions using a "large" source buffer. */✓ 30 data = dataBadBuffer;31 }32 else33 {34 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */✓ 35 data = dataGoodBuffer;36 }37 {✓ 38 int source[100] = {0}; /* fill with 0's */39 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 40 memmove(data, source, 100*sizeof(int));❗VULN✓ 41 printIntLine(data[0]);42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* goodG2B() - use goodsource and badsink by changing the "if" so that50 * both branches use the GoodSource */51static void goodG2B()52{53 int * data;54 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));55 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));56 if(globalReturnsTrueOrFalse())57 {58 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */59 data = dataGoodBuffer;60 }61 else62 {63 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */64 data = dataGoodBuffer;65 }66 {67 int source[100] = {0}; /* fill with 0's */68 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */69 memmove(data, source, 100*sizeof(int));70 printIntLine(data[0]);71 }72}7374void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_12_good()75{76 goodG2B();77}7879#endif /* OMITGOOD */8081/* Below is the main(). It is only used when building this testcase on82 * its own for testing or for building a binary to use in testing binary83 * analysis tools. It is not used when compiling all the testcases as one84 * application, which is how source code analysis tools are tested.85 */8687#ifdef INCLUDEMAIN8889int main(int argc, char * argv[])90{91 /* seed randomness */92 srand( (unsigned)time(NULL) );93#ifndef OMITGOOD94 printLine("Calling good()...");95 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_12_good();96 printLine("Finished good()");97#endif /* OMITGOOD */98#ifndef OMITBAD99 printLine("Calling bad()...");100 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_12_bad();101 printLine("Finished bad()");102#endif /* OMITBAD */103 return 0;104}105106#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 29 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_rand_15.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129.label.xml4Template File: sources-sinks-15.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: rand Set data to result of rand(), which may be zero10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 15 Control flow: switch(6) and switch(7)15 * */1617#include "std_testcase.h"1819namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_rand_1520{2122#ifndef OMITBAD2324void bad()25{✓ 26 int data;27 /* Initialize data */✓ 28 data = -1;✓ 29 switch(6)30 {✓ 31 case 6:32 /* POTENTIAL FLAW: Set data to a random value */✓ 33 data = RAND32();✓ 34 break;✓ 35 default:36 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 37 printLine("Benign, fixed string");✓ 38 break;39 }✓ 40 switch(7)41 {✓ 42 case 7:43 {✓ 44 int i;✓ 45 int * buffer = new int[10];46 /* initialize buffer */✓ 47 for (i = 0; i < 10; i++)48 {✓ 49 buffer[i] = 0;50 }51 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound52 * This code does check to see if the array index is negative */✓ 53 if (data >= 0)54 {✓ 55 buffer[data] = 1;❗VULN56 /* Print the array values */✓ 57 for(i = 0; i < 10; i++)58 {✓ 59 printIntLine(buffer[i]);60 }61 }62 else63 {✓ 64 printLine("ERROR: Array index is negative.");65 }✓ 66 delete[] buffer;67 }✓ 68 break;✓ 69 default:70 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 71 printLine("Benign, fixed string");✓ 72 break;73 }74}7576#endif /* OMITBAD */7778#ifndef OMITGOOD7980/* goodB2G1() - use badsource and goodsink by changing the second switch to switch(8) */81static void goodB2G1()82{83 int data;84 /* Initialize data */85 data = -1;86 switch(6)87 {88 case 6:89 /* POTENTIAL FLAW: Set data to a random value */90 data = RAND32();91 break;92 default:93 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */94 printLine("Benign, fixed string");95 break;96 }97 switch(8)98 {99 case 7:100 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */101 printLine("Benign, fixed string");102 break;103 default:104 {105 int i;106 int * buffer = new int[10];107 /* initialize buffer */108 for (i = 0; i < 10; i++)109 {110 buffer[i] = 0;111 }112 /* FIX: Properly validate the array index and prevent a buffer overflow */113 if (data >= 0 && data < (10))114 {115 buffer[data] = 1;116 /* Print the array values */117 for(i = 0; i < 10; i++)118 {119 printIntLine(buffer[i]);120 }121 }122 else123 {124 printLine("ERROR: Array index is out-of-bounds");125 }126 delete[] buffer;127 }128 break;129 }130}131132/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch */133static void goodB2G2()134{135 int data;136 /* Initialize data */137 data = -1;138 switch(6)139 {140 case 6:141 /* POTENTIAL FLAW: Set data to a random value */142 data = RAND32();143 break;144 default:145 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */146 printLine("Benign, fixed string");147 break;148 }149 switch(7)150 {151 case 7:152 {153 int i;154 int * buffer = new int[10];155 /* initialize buffer */156 for (i = 0; i < 10; i++)157 {158 buffer[i] = 0;159 }160 /* FIX: Properly validate the array index and prevent a buffer overflow */161 if (data >= 0 && data < (10))162 {163 buffer[data] = 1;164 /* Print the array values */165 for(i = 0; i < 10; i++)166 {167 printIntLine(buffer[i]);168 }169 }170 else171 {172 printLine("ERROR: Array index is out-of-bounds");173 }174 delete[] buffer;175 }176 break;177 default:178 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */179 printLine("Benign, fixed string");180 break;181 }182}183184/* goodG2B1() - use goodsource and badsink by changing the first switch to switch(5) */185static void goodG2B1()186{187 int data;188 /* Initialize data */189 data = -1;190 switch(5)191 {192 case 6:193 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */194 printLine("Benign, fixed string");195 break;196 default:197 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to198 * access an index of the array in the sink that is out-of-bounds */199 data = 7;200 break;201 }202 switch(7)203 {204 case 7:205 {206 int i;207 int * buffer = new int[10];208 /* initialize buffer */209 for (i = 0; i < 10; i++)210 {211 buffer[i] = 0;212 }213 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound214 * This code does check to see if the array index is negative */215 if (data >= 0)216 {217 buffer[data] = 1;218 /* Print the array values */219 for(i = 0; i < 10; i++)220 {221 printIntLine(buffer[i]);222 }223 }224 else225 {226 printLine("ERROR: Array index is negative.");227 }228 delete[] buffer;229 }230 break;231 default:232 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */233 printLine("Benign, fixed string");234 break;235 }236}237238/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first switch */239static void goodG2B2()240{241 int data;242 /* Initialize data */243 data = -1;244 switch(6)245 {246 case 6:247 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to248 * access an index of the array in the sink that is out-of-bounds */249 data = 7;250 break;251 default:252 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */253 printLine("Benign, fixed string");254 break;255 }256 switch(7)257 {258 case 7:259 {260 int i;261 int * buffer = new int[10];262 /* initialize buffer */263 for (i = 0; i < 10; i++)264 {265 buffer[i] = 0;266 }267 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound268 * This code does check to see if the array index is negative */269 if (data >= 0)270 {271 buffer[data] = 1;272 /* Print the array values */273 for(i = 0; i < 10; i++)274 {275 printIntLine(buffer[i]);276 }277 }278 else279 {280 printLine("ERROR: Array index is negative.");281 }282 delete[] buffer;283 }284 break;285 default:286 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */287 printLine("Benign, fixed string");288 break;289 }290}291292void good()293{294 goodB2G1();295 goodB2G2();296 goodG2B1();297 goodG2B2();298}299300#endif /* OMITGOOD */301302} /* close namespace */303304/* Below is the main(). It is only used when building this testcase on305 its own for testing or for building a binary to use in testing binary306 analysis tools. It is not used when compiling all the testcases as one307 application, which is how source code analysis tools are tested. */308309#ifdef INCLUDEMAIN310311using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_rand_15; /* so that we can use good and bad easily */312313int main(int argc, char * argv[])314{315 /* seed randomness */316 srand( (unsigned)time(NULL) );317#ifndef OMITGOOD318 printLine("Calling good()...");319 good();320 printLine("Finished good()");321#endif /* OMITGOOD */322#ifndef OMITBAD323 printLine("Calling bad()...");324 bad();325 printLine("Finished bad()");326#endif /* OMITBAD */327 return 0;328}329330#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncpy_07.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-07.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: ncpy12 * BadSink : Copy string to data using wcsncpy13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is not declared "const", but is never assigned22 any other value so a tool should be able to identify that reads of23 this will always give its initialized value. */24static int staticFive = 5;2526namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncpy_0727{2829#ifndef OMITBAD3031void bad()32{✓ 33 wchar_t * data;✓ 34 data = NULL;✓ 35 if(staticFive==5)36 {37 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 38 data = new wchar_t[50];✓ 39 data[0] = L'\0'; /* null terminate */40 }41 {✓ 42 wchar_t source[100];✓ 43 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 44 source[100-1] = L'\0'; /* null terminate */45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 46 wcsncpy(data, source, 100-1);❗VULN✓ 47 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 48 printWLine(data);✓ 49 delete [] data;50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */58static void goodG2B1()59{60 wchar_t * data;61 data = NULL;62 if(staticFive!=5)63 {64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */65 printLine("Benign, fixed string");66 }67 else68 {69 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */70 data = new wchar_t[100];71 data[0] = L'\0'; /* null terminate */72 }73 {74 wchar_t source[100];75 wmemset(source, L'C', 100-1); /* fill with L'C's */76 source[100-1] = L'\0'; /* null terminate */77 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */78 wcsncpy(data, source, 100-1);79 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */80 printWLine(data);81 delete [] data;82 }83}8485/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */86static void goodG2B2()87{88 wchar_t * data;89 data = NULL;90 if(staticFive==5)91 {92 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */93 data = new wchar_t[100];94 data[0] = L'\0'; /* null terminate */95 }96 {97 wchar_t source[100];98 wmemset(source, L'C', 100-1); /* fill with L'C's */99 source[100-1] = L'\0'; /* null terminate */100 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */101 wcsncpy(data, source, 100-1);102 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */103 printWLine(data);104 delete [] data;105 }106}107108void good()109{110 goodG2B1();111 goodG2B2();112}113114#endif /* OMITGOOD */115116} /* close namespace */117118/* Below is the main(). It is only used when building this testcase on119 its own for testing or for building a binary to use in testing binary120 analysis tools. It is not used when compiling all the testcases as one121 application, which is how source code analysis tools are tested. */122123#ifdef INCLUDEMAIN124125using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncpy_07; /* so that we can use good and bad easily */126127int main(int argc, char * argv[])128{129 /* seed randomness */130 srand( (unsigned)time(NULL) );131#ifndef OMITGOOD132 printLine("Calling good()...");133 good();134 printLine("Finished good()");135#endif /* OMITGOOD */136#ifndef OMITBAD137 printLine("Calling bad()...");138 bad();139 printLine("Finished bad()");140#endif /* OMITBAD */141 return 0;142}143144#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_07.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_src.label.xml4Template File: sources-sink-07.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: cpy12 * BadSink : Copy data to string using strcpy13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is not declared "const", but is never assigned22 any other value so a tool should be able to identify that reads of23 this will always give its initialized value. */24static int staticFive = 5;2526namespace CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_0727{2829#ifndef OMITBAD3031void bad()32{✓ 33 char * data;✓ 34 data = new char[100];✓ 35 if(staticFive==5)36 {37 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 38 memset(data, 'A', 100-1); /* fill with 'A's */✓ 39 data[100-1] = '\0'; /* null terminate */40 }41 {✓ 42 char dest[50] = "";43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 44 strcpy(dest, data);❗VULN✓ 45 printLine(data);✓ 46 delete [] data;47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */55static void goodG2B1()56{57 char * data;58 data = new char[100];59 if(staticFive!=5)60 {61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */62 printLine("Benign, fixed string");63 }64 else65 {66 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */67 memset(data, 'A', 50-1); /* fill with 'A's */68 data[50-1] = '\0'; /* null terminate */69 }70 {71 char dest[50] = "";72 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */73 strcpy(dest, data);74 printLine(data);75 delete [] data;76 }77}7879/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */80static void goodG2B2()81{82 char * data;83 data = new char[100];84 if(staticFive==5)85 {86 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */87 memset(data, 'A', 50-1); /* fill with 'A's */88 data[50-1] = '\0'; /* null terminate */89 }90 {91 char dest[50] = "";92 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */93 strcpy(dest, data);94 printLine(data);95 delete [] data;96 }97}9899void good()100{101 goodG2B1();102 goodG2B2();103}104105#endif /* OMITGOOD */106107} /* close namespace */108109/* Below is the main(). It is only used when building this testcase on110 its own for testing or for building a binary to use in testing binary111 analysis tools. It is not used when compiling all the testcases as one112 application, which is how source code analysis tools are tested. */113114#ifdef INCLUDEMAIN115116using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_07; /* so that we can use good and bad easily */117118int main(int argc, char * argv[])119{120 /* seed randomness */121 srand( (unsigned)time(NULL) );122#ifndef OMITGOOD123 printLine("Calling good()...");124 good();125 printLine("Finished good()");126#endif /* OMITGOOD */127#ifndef OMITBAD128 printLine("Calling bad()...");129 bad();130 printLine("Finished bad()");131#endif /* OMITBAD */132 return 0;133}134135#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__char_declare_loop_10.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-10.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__char_declare_loop_10_bad()24{✓ 25 char * data;✓ 26 char dataBuffer[100];✓ 27 memset(dataBuffer, 'A', 100-1);✓ 28 dataBuffer[100-1] = '\0';✓ 29 if(globalTrue)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;33 }34 {✓ 35 size_t i;✓ 36 char dest[100];✓ 37 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 38 dest[100-1] = '\0'; /* null terminate */39 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 40 for (i = 0; i < 100; i++)41 {✓ 42 dest[i] = data[i];❗VULN43 }44 /* Ensure null termination */✓ 45 dest[100-1] = '\0';✓ 46 printLine(dest);47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */55static void goodG2B1()56{57 char * data;58 char dataBuffer[100];59 memset(dataBuffer, 'A', 100-1);60 dataBuffer[100-1] = '\0';61 if(globalFalse)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 /* FIX: Set data pointer to the allocated memory buffer */69 data = dataBuffer;70 }71 {72 size_t i;73 char dest[100];74 memset(dest, 'C', 100-1); /* fill with 'C's */75 dest[100-1] = '\0'; /* null terminate */76 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */77 for (i = 0; i < 100; i++)78 {79 dest[i] = data[i];80 }81 /* Ensure null termination */82 dest[100-1] = '\0';83 printLine(dest);84 }85}8687/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */88static void goodG2B2()89{90 char * data;91 char dataBuffer[100];92 memset(dataBuffer, 'A', 100-1);93 dataBuffer[100-1] = '\0';94 if(globalTrue)95 {96 /* FIX: Set data pointer to the allocated memory buffer */97 data = dataBuffer;98 }99 {100 size_t i;101 char dest[100];102 memset(dest, 'C', 100-1); /* fill with 'C's */103 dest[100-1] = '\0'; /* null terminate */104 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */105 for (i = 0; i < 100; i++)106 {107 dest[i] = data[i];108 }109 /* Ensure null termination */110 dest[100-1] = '\0';111 printLine(dest);112 }113}114115void CWE127_Buffer_Underread__char_declare_loop_10_good()116{117 goodG2B1();118 goodG2B2();119}120121#endif /* OMITGOOD */122123/* Below is the main(). It is only used when building this testcase on124 * its own for testing or for building a binary to use in testing binary125 * analysis tools. It is not used when compiling all the testcases as one126 * application, which is how source code analysis tools are tested.127 */128129#ifdef INCLUDEMAIN130131int main(int argc, char * argv[])132{133 /* seed randomness */134 srand( (unsigned)time(NULL) );135#ifndef OMITGOOD136 printLine("Calling good()...");137 CWE127_Buffer_Underread__char_declare_loop_10_good();138 printLine("Finished good()");139#endif /* OMITGOOD */140#ifndef OMITBAD141 printLine("Calling bad()...");142 CWE127_Buffer_Underread__char_declare_loop_10_bad();143 printLine("Finished bad()");144#endif /* OMITBAD */145 return 0;146}147148#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 20 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_char_cpy_12.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-12.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: cpy12 * BadSink : Copy data to string using strcpy13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__malloc_char_cpy_12_bad()24{✓ 25 char * data;✓ 26 data = NULL;✓ 27 if(globalReturnsTrueOrFalse())28 {29 {✓ 30 char * dataBuffer = (char *)malloc(100*sizeof(char));✓ 31 if (dataBuffer == NULL) {exit(-1);}✓ 32 memset(dataBuffer, 'A', 100-1);✓ 33 dataBuffer[100-1] = '\0';34 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 35 data = dataBuffer - 8;36 }37 }38 else39 {40 {✓ 41 char * dataBuffer = (char *)malloc(100*sizeof(char));✓ 42 if (dataBuffer == NULL) {exit(-1);}✓ 43 memset(dataBuffer, 'A', 100-1);✓ 44 dataBuffer[100-1] = '\0';45 /* FIX: Set data pointer to the allocated memory buffer */✓ 46 data = dataBuffer;47 }48 }49 {✓ 50 char dest[100*2];✓ 51 memset(dest, 'C', 100*2-1); /* fill with 'C's */✓ 52 dest[100*2-1] = '\0'; /* null terminate */53 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 54 strcpy(dest, data);❗VULN✓ 55 printLine(dest);56 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location57 * returned by malloc() so can't safely call free() on it */58 }59}6061#endif /* OMITBAD */6263#ifndef OMITGOOD6465/* goodG2B() - use goodsource and badsink by changing the "if" so that66 * both branches use the GoodSource */67static void goodG2B()68{69 char * data;70 data = NULL;71 if(globalReturnsTrueOrFalse())72 {73 {74 char * dataBuffer = (char *)malloc(100*sizeof(char));75 if (dataBuffer == NULL) {exit(-1);}76 memset(dataBuffer, 'A', 100-1);77 dataBuffer[100-1] = '\0';78 /* FIX: Set data pointer to the allocated memory buffer */79 data = dataBuffer;80 }81 }82 else83 {84 {85 char * dataBuffer = (char *)malloc(100*sizeof(char));86 if (dataBuffer == NULL) {exit(-1);}87 memset(dataBuffer, 'A', 100-1);88 dataBuffer[100-1] = '\0';89 /* FIX: Set data pointer to the allocated memory buffer */90 data = dataBuffer;91 }92 }93 {94 char dest[100*2];95 memset(dest, 'C', 100*2-1); /* fill with 'C's */96 dest[100*2-1] = '\0'; /* null terminate */97 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */98 strcpy(dest, data);99 printLine(dest);100 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location101 * returned by malloc() so can't safely call free() on it */102 }103}104105void CWE127_Buffer_Underread__malloc_char_cpy_12_good()106{107 goodG2B();108}109110#endif /* OMITGOOD */111112/* Below is the main(). It is only used when building this testcase on113 * its own for testing or for building a binary to use in testing binary114 * analysis tools. It is not used when compiling all the testcases as one115 * application, which is how source code analysis tools are tested.116 */117118#ifdef INCLUDEMAIN119120int main(int argc, char * argv[])121{122 /* seed randomness */123 srand( (unsigned)time(NULL) );124#ifndef OMITGOOD125 printLine("Calling good()...");126 CWE127_Buffer_Underread__malloc_char_cpy_12_good();127 printLine("Finished good()");128#endif /* OMITGOOD */129#ifndef OMITBAD130 printLine("Calling bad()...");131 CWE127_Buffer_Underread__malloc_char_cpy_12_bad();132 printLine("Finished bad()");133#endif /* OMITBAD */134 return 0;135}136137#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_14.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml4Template File: sources-sink-14.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory without using sizeof(int)10 * GoodSource: Allocate memory using sizeof(int)11 * Sink: loop12 * BadSink : Copy array to data using a loop13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_14_bad()22{✓ 23 int * data;✓ 24 data = NULL;✓ 25 if(globalFive==5)26 {27 /* FLAW: Allocate memory without using sizeof(int) */✓ 28 data = (int *)malloc(10);✓ 29 if (data == NULL) {exit(-1);}30 }31 {✓ 32 int source[10] = {0};✓ 33 size_t i;34 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */✓ 35 for (i = 0; i < 10; i++)36 {✓ 37 data[i] = source[i];❗VULN38 }✓ 39 printIntLine(data[0]);✓ 40 free(data);41 }42}4344#endif /* OMITBAD */4546#ifndef OMITGOOD4748/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */49static void goodG2B1()50{51 int * data;52 data = NULL;53 if(globalFive!=5)54 {55 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */56 printLine("Benign, fixed string");57 }58 else59 {60 /* FIX: Allocate memory using sizeof(int) */61 data = (int *)malloc(10*sizeof(int));62 if (data == NULL) {exit(-1);}63 }64 {65 int source[10] = {0};66 size_t i;67 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */68 for (i = 0; i < 10; i++)69 {70 data[i] = source[i];71 }72 printIntLine(data[0]);73 free(data);74 }75}7677/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */78static void goodG2B2()79{80 int * data;81 data = NULL;82 if(globalFive==5)83 {84 /* FIX: Allocate memory using sizeof(int) */85 data = (int *)malloc(10*sizeof(int));86 if (data == NULL) {exit(-1);}87 }88 {89 int source[10] = {0};90 size_t i;91 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */92 for (i = 0; i < 10; i++)93 {94 data[i] = source[i];95 }96 printIntLine(data[0]);97 free(data);98 }99}100101void CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_14_good()102{103 goodG2B1();104 goodG2B2();105}106107#endif /* OMITGOOD */108109/* Below is the main(). It is only used when building this testcase on110 * its own for testing or for building a binary to use in testing binary111 * analysis tools. It is not used when compiling all the testcases as one112 * application, which is how source code analysis tools are tested.113 */114115#ifdef INCLUDEMAIN116117int main(int argc, char * argv[])118{119 /* seed randomness */120 srand( (unsigned)time(NULL) );121#ifndef OMITGOOD122 printLine("Calling good()...");123 CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_14_good();124 printLine("Finished good()");125#endif /* OMITGOOD */126#ifndef OMITBAD127 printLine("Calling bad()...");128 CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_14_bad();129 printLine("Finished bad()");130#endif /* OMITBAD */131 return 0;132}133134#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_13.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_src.label.xml4Template File: sources-sink-13.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: cpy12 * BadSink : Copy data to string using strcpy13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_1322{2324#ifndef OMITBAD2526void bad()27{✓ 28 char * data;✓ 29 data = new char[100];✓ 30 if(GLOBAL_CONST_FIVE==5)31 {32 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 33 memset(data, 'A', 100-1); /* fill with 'A's */✓ 34 data[100-1] = '\0'; /* null terminate */35 }36 {✓ 37 char dest[50] = "";38 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 39 strcpy(dest, data);❗VULN✓ 40 printLine(data);✓ 41 delete [] data;42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */50static void goodG2B1()51{52 char * data;53 data = new char[100];54 if(GLOBAL_CONST_FIVE!=5)55 {56 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */57 printLine("Benign, fixed string");58 }59 else60 {61 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */62 memset(data, 'A', 50-1); /* fill with 'A's */63 data[50-1] = '\0'; /* null terminate */64 }65 {66 char dest[50] = "";67 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */68 strcpy(dest, data);69 printLine(data);70 delete [] data;71 }72}7374/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */75static void goodG2B2()76{77 char * data;78 data = new char[100];79 if(GLOBAL_CONST_FIVE==5)80 {81 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */82 memset(data, 'A', 50-1); /* fill with 'A's */83 data[50-1] = '\0'; /* null terminate */84 }85 {86 char dest[50] = "";87 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */88 strcpy(dest, data);89 printLine(data);90 delete [] data;91 }92}9394void good()95{96 goodG2B1();97 goodG2B2();98}99100#endif /* OMITGOOD */101102} /* close namespace */103104/* Below is the main(). It is only used when building this testcase on105 its own for testing or for building a binary to use in testing binary106 analysis tools. It is not used when compiling all the testcases as one107 application, which is how source code analysis tools are tested. */108109#ifdef INCLUDEMAIN110111using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_13; /* so that we can use good and bad easily */112113int main(int argc, char * argv[])114{115 /* seed randomness */116 srand( (unsigned)time(NULL) );117#ifndef OMITGOOD118 printLine("Calling good()...");119 good();120 printLine("Finished good()");121#endif /* OMITGOOD */122#ifndef OMITBAD123 printLine("Calling bad()...");124 bad();125 printLine("Finished bad()");126#endif /* OMITBAD */127 return 0;128}129130#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 18 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_12.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-12.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_12_bad()24{✓ 25 char * data;✓ 26 char dataBadBuffer[50];✓ 27 char dataGoodBuffer[100];✓ 28 if(globalReturnsTrueOrFalse())29 {30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination31 * buffer in various memory copying functions using a "large" source buffer. */✓ 32 data = dataBadBuffer;✓ 33 data[0] = '\0'; /* null terminate */34 }35 else36 {37 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */✓ 38 data = dataGoodBuffer;✓ 39 data[0] = '\0'; /* null terminate */40 }41 {✓ 42 size_t i;✓ 43 char source[100];✓ 44 memset(source, 'C', 100-1); /* fill with 'C's */✓ 45 source[100-1] = '\0'; /* null terminate */46 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 47 for (i = 0; i < 100; i++)48 {✓ 49 data[i] = source[i];❗VULN50 }✓ 51 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 52 printLine(data);53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B() - use goodsource and badsink by changing the "if" so that61 * both branches use the GoodSource */62static void goodG2B()63{64 char * data;65 char dataBadBuffer[50];66 char dataGoodBuffer[100];67 if(globalReturnsTrueOrFalse())68 {69 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */70 data = dataGoodBuffer;71 data[0] = '\0'; /* null terminate */72 }73 else74 {75 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */76 data = dataGoodBuffer;77 data[0] = '\0'; /* null terminate */78 }79 {80 size_t i;81 char source[100];82 memset(source, 'C', 100-1); /* fill with 'C's */83 source[100-1] = '\0'; /* null terminate */84 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */85 for (i = 0; i < 100; i++)86 {87 data[i] = source[i];88 }89 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */90 printLine(data);91 }92}9394void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_12_good()95{96 goodG2B();97}9899#endif /* OMITGOOD */100101/* Below is the main(). It is only used when building this testcase on102 * its own for testing or for building a binary to use in testing binary103 * analysis tools. It is not used when compiling all the testcases as one104 * application, which is how source code analysis tools are tested.105 */106107#ifdef INCLUDEMAIN108109int main(int argc, char * argv[])110{111 /* seed randomness */112 srand( (unsigned)time(NULL) );113#ifndef OMITGOOD114 printLine("Calling good()...");115 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_12_good();116 printLine("Finished good()");117#endif /* OMITGOOD */118#ifndef OMITBAD119 printLine("Calling bad()...");120 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_12_bad();121 printLine("Finished bad()");122#endif /* OMITBAD */123 return 0;124}125126#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__wchar_t_declare_memmove_13.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-13.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__wchar_t_declare_memmove_13_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t dataBuffer[100];✓ 27 wmemset(dataBuffer, L'A', 100-1);✓ 28 dataBuffer[100-1] = L'\0';✓ 29 if(GLOBAL_CONST_FIVE==5)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;33 }34 {✓ 35 wchar_t dest[100];✓ 36 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 37 dest[100-1] = L'\0'; /* null terminate */38 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 39 memmove(dest, data, 100*sizeof(wchar_t));❗VULN40 /* Ensure null termination */✓ 41 dest[100-1] = L'\0';✓ 42 printWLine(dest);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */51static void goodG2B1()52{53 wchar_t * data;54 wchar_t dataBuffer[100];55 wmemset(dataBuffer, L'A', 100-1);56 dataBuffer[100-1] = L'\0';57 if(GLOBAL_CONST_FIVE!=5)58 {59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */60 printLine("Benign, fixed string");61 }62 else63 {64 /* FIX: Set data pointer to the allocated memory buffer */65 data = dataBuffer;66 }67 {68 wchar_t dest[100];69 wmemset(dest, L'C', 100-1); /* fill with 'C's */70 dest[100-1] = L'\0'; /* null terminate */71 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */72 memmove(dest, data, 100*sizeof(wchar_t));73 /* Ensure null termination */74 dest[100-1] = L'\0';75 printWLine(dest);76 }77}7879/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */80static void goodG2B2()81{82 wchar_t * data;83 wchar_t dataBuffer[100];84 wmemset(dataBuffer, L'A', 100-1);85 dataBuffer[100-1] = L'\0';86 if(GLOBAL_CONST_FIVE==5)87 {88 /* FIX: Set data pointer to the allocated memory buffer */89 data = dataBuffer;90 }91 {92 wchar_t dest[100];93 wmemset(dest, L'C', 100-1); /* fill with 'C's */94 dest[100-1] = L'\0'; /* null terminate */95 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */96 memmove(dest, data, 100*sizeof(wchar_t));97 /* Ensure null termination */98 dest[100-1] = L'\0';99 printWLine(dest);100 }101}102103void CWE127_Buffer_Underread__wchar_t_declare_memmove_13_good()104{105 goodG2B1();106 goodG2B2();107}108109#endif /* OMITGOOD */110111/* Below is the main(). It is only used when building this testcase on112 * its own for testing or for building a binary to use in testing binary113 * analysis tools. It is not used when compiling all the testcases as one114 * application, which is how source code analysis tools are tested.115 */116117#ifdef INCLUDEMAIN118119int main(int argc, char * argv[])120{121 /* seed randomness */122 srand( (unsigned)time(NULL) );123#ifndef OMITGOOD124 printLine("Calling good()...");125 CWE127_Buffer_Underread__wchar_t_declare_memmove_13_good();126 printLine("Finished good()");127#endif /* OMITGOOD */128#ifndef OMITBAD129 printLine("Calling bad()...");130 CWE127_Buffer_Underread__wchar_t_declare_memmove_13_bad();131 printLine("Finished bad()");132#endif /* OMITBAD */133 return 0;134}135136#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_ncpy_18.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-18.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: ncpy12 * BadSink : Copy string to data using strncpy13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_ncpy_18_bad()24{✓ 25 char * data;✓ 26 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));✓ 27 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));✓ 28 goto source;✓ 29source:30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination31 * buffer in various memory copying functions using a "large" source buffer. */✓ 32 data = dataBadBuffer;✓ 33 data[0] = '\0'; /* null terminate */34 {✓ 35 char source[100];✓ 36 memset(source, 'C', 100-1); /* fill with 'C's */✓ 37 source[100-1] = '\0'; /* null terminate */38 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 39 strncpy(data, source, 100-1);❗VULN✓ 40 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 41 printLine(data);42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */50static void goodG2B()51{52 char * data;53 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));54 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));55 goto source;56source:57 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */58 data = dataGoodBuffer;59 data[0] = '\0'; /* null terminate */60 {61 char source[100];62 memset(source, 'C', 100-1); /* fill with 'C's */63 source[100-1] = '\0'; /* null terminate */64 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */65 strncpy(data, source, 100-1);66 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */67 printLine(data);68 }69}7071void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_ncpy_18_good()72{73 goodG2B();74}7576#endif /* OMITGOOD */7778/* Below is the main(). It is only used when building this testcase on79 * its own for testing or for building a binary to use in testing binary80 * analysis tools. It is not used when compiling all the testcases as one81 * application, which is how source code analysis tools are tested.82 */8384#ifdef INCLUDEMAIN8586int main(int argc, char * argv[])87{88 /* seed randomness */89 srand( (unsigned)time(NULL) );90#ifndef OMITGOOD91 printLine("Calling good()...");92 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_ncpy_18_good();93 printLine("Finished good()");94#endif /* OMITGOOD */95#ifndef OMITBAD96 printLine("Calling bad()...");97 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_ncpy_18_bad();98 printLine("Finished bad()");99#endif /* OMITBAD */100 return 0;101}102103#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_32.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-32.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: loop12 * BadSink : Copy int array to data using a loop13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_32_bad()22{✓ 23 int * data;✓ 24 int * *dataPtr1 = &data;✓ 25 int * *dataPtr2 = &data;✓ 26 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));✓ 27 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));28 {✓ 29 int * data = *dataPtr1;30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination31 * buffer in various memory copying functions using a "large" source buffer. */✓ 32 data = dataBadBuffer;✓ 33 *dataPtr1 = data;34 }35 {✓ 36 int * data = *dataPtr2;37 {✓ 38 int source[100] = {0}; /* fill with 0's */39 {✓ 40 size_t i;41 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 42 for (i = 0; i < 100; i++)43 {✓ 44 data[i] = source[i];❗VULN45 }✓ 46 printIntLine(data[0]);47 }48 }49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B() uses the GoodSource with the BadSink */57static void goodG2B()58{59 int * data;60 int * *dataPtr1 = &data;61 int * *dataPtr2 = &data;62 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));63 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));64 {65 int * data = *dataPtr1;66 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */67 data = dataGoodBuffer;68 *dataPtr1 = data;69 }70 {71 int * data = *dataPtr2;72 {73 int source[100] = {0}; /* fill with 0's */74 {75 size_t i;76 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */77 for (i = 0; i < 100; i++)78 {79 data[i] = source[i];80 }81 printIntLine(data[0]);82 }83 }84 }85}8687void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_32_good()88{89 goodG2B();90}9192#endif /* OMITGOOD */9394/* Below is the main(). It is only used when building this testcase on95 * its own for testing or for building a binary to use in testing binary96 * analysis tools. It is not used when compiling all the testcases as one97 * application, which is how source code analysis tools are tested.98 */99#ifdef INCLUDEMAIN100101int main(int argc, char * argv[])102{103 /* seed randomness */104 srand( (unsigned)time(NULL) );105#ifndef OMITGOOD106 printLine("Calling good()...");107 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_32_good();108 printLine("Finished good()");109#endif /* OMITGOOD */110#ifndef OMITBAD111 printLine("Calling bad()...");112 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_32_bad();113 printLine("Finished bad()");114#endif /* OMITBAD */115 return 0;116}117118#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 7 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68b.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-68b.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: ncpy12 * BadSink : Copy string to data using wcsncpy13 * Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different source files14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021extern wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68_badData;22extern wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68_goodG2BData;2324/* all the sinks are the same, we just want to know where the hit originated if a tool flags one */2526#ifndef OMITBAD2728void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68b_badSink()29{✓ 30 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68_badData;31 {✓ 32 wchar_t source[100];✓ 33 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 34 source[100-1] = L'\0'; /* null terminate */35 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 36 wcsncpy(data, source, 100-1);❗VULN✓ 37 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 38 printWLine(data);39 }40}4142#endif /* OMITBAD */4344#ifndef OMITGOOD4546/* goodG2B uses the GoodSource with the BadSink */47void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68b_goodG2BSink()48{49 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68_goodG2BData;50 {51 wchar_t source[100];52 wmemset(source, L'C', 100-1); /* fill with L'C's */53 source[100-1] = L'\0'; /* null terminate */54 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */55 wcsncpy(data, source, 100-1);56 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */57 printWLine(data);58 }59}6061#endif /* OMITGOOD */
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__char_declare_memcpy_09.c3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml4Template File: sources-sink-09.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__char_declare_memcpy_09_bad()24{✓ 25 char * data;✓ 26 char dataBuffer[100];✓ 27 memset(dataBuffer, 'A', 100-1);✓ 28 dataBuffer[100-1] = '\0';✓ 29 if(GLOBAL_CONST_TRUE)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;33 }34 {✓ 35 char source[100];✓ 36 memset(source, 'C', 100-1); /* fill with 'C's */✓ 37 source[100-1] = '\0'; /* null terminate */38 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 39 memcpy(data, source, 100*sizeof(char));❗VULN40 /* Ensure the destination buffer is null terminated */✓ 41 data[100-1] = '\0';✓ 42 printLine(data);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */51static void goodG2B1()52{53 char * data;54 char dataBuffer[100];55 memset(dataBuffer, 'A', 100-1);56 dataBuffer[100-1] = '\0';57 if(GLOBAL_CONST_FALSE)58 {59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */60 printLine("Benign, fixed string");61 }62 else63 {64 /* FIX: Set data pointer to the allocated memory buffer */65 data = dataBuffer;66 }67 {68 char source[100];69 memset(source, 'C', 100-1); /* fill with 'C's */70 source[100-1] = '\0'; /* null terminate */71 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */72 memcpy(data, source, 100*sizeof(char));73 /* Ensure the destination buffer is null terminated */74 data[100-1] = '\0';75 printLine(data);76 }77}7879/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */80static void goodG2B2()81{82 char * data;83 char dataBuffer[100];84 memset(dataBuffer, 'A', 100-1);85 dataBuffer[100-1] = '\0';86 if(GLOBAL_CONST_TRUE)87 {88 /* FIX: Set data pointer to the allocated memory buffer */89 data = dataBuffer;90 }91 {92 char source[100];93 memset(source, 'C', 100-1); /* fill with 'C's */94 source[100-1] = '\0'; /* null terminate */95 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */96 memcpy(data, source, 100*sizeof(char));97 /* Ensure the destination buffer is null terminated */98 data[100-1] = '\0';99 printLine(data);100 }101}102103void CWE124_Buffer_Underwrite__char_declare_memcpy_09_good()104{105 goodG2B1();106 goodG2B2();107}108109#endif /* OMITGOOD */110111/* Below is the main(). It is only used when building this testcase on112 * its own for testing or for building a binary to use in testing binary113 * analysis tools. It is not used when compiling all the testcases as one114 * application, which is how source code analysis tools are tested.115 */116117#ifdef INCLUDEMAIN118119int main(int argc, char * argv[])120{121 /* seed randomness */122 srand( (unsigned)time(NULL) );123#ifndef OMITGOOD124 printLine("Calling good()...");125 CWE124_Buffer_Underwrite__char_declare_memcpy_09_good();126 printLine("Finished good()");127#endif /* OMITGOOD */128#ifndef OMITBAD129 printLine("Calling bad()...");130 CWE124_Buffer_Underwrite__char_declare_memcpy_09_bad();131 printLine("Finished bad()");132#endif /* OMITBAD */133 return 0;134}135136#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_14.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml4Template File: sources-sink-14.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: memmove12 * BadSink : Copy int array to data using memmove13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_14_bad()22{✓ 23 int * data;✓ 24 data = NULL;✓ 25 if(globalFive==5)26 {27 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 28 data = (int *)malloc(50*sizeof(int));✓ 29 if (data == NULL) {exit(-1);}30 }31 {✓ 32 int source[100] = {0}; /* fill with 0's */33 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 34 memmove(data, source, 100*sizeof(int));❗VULN✓ 35 printIntLine(data[0]);✓ 36 free(data);37 }38}3940#endif /* OMITBAD */4142#ifndef OMITGOOD4344/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */45static void goodG2B1()46{47 int * data;48 data = NULL;49 if(globalFive!=5)50 {51 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */52 printLine("Benign, fixed string");53 }54 else55 {56 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */57 data = (int *)malloc(100*sizeof(int));58 if (data == NULL) {exit(-1);}59 }60 {61 int source[100] = {0}; /* fill with 0's */62 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */63 memmove(data, source, 100*sizeof(int));64 printIntLine(data[0]);65 free(data);66 }67}6869/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */70static void goodG2B2()71{72 int * data;73 data = NULL;74 if(globalFive==5)75 {76 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */77 data = (int *)malloc(100*sizeof(int));78 if (data == NULL) {exit(-1);}79 }80 {81 int source[100] = {0}; /* fill with 0's */82 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */83 memmove(data, source, 100*sizeof(int));84 printIntLine(data[0]);85 free(data);86 }87}8889void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_14_good()90{91 goodG2B1();92 goodG2B2();93}9495#endif /* OMITGOOD */9697/* Below is the main(). It is only used when building this testcase on98 * its own for testing or for building a binary to use in testing binary99 * analysis tools. It is not used when compiling all the testcases as one100 * application, which is how source code analysis tools are tested.101 */102103#ifdef INCLUDEMAIN104105int main(int argc, char * argv[])106{107 /* seed randomness */108 srand( (unsigned)time(NULL) );109#ifndef OMITGOOD110 printLine("Calling good()...");111 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_14_good();112 printLine("Finished good()");113#endif /* OMITGOOD */114#ifndef OMITBAD115 printLine("Calling bad()...");116 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_14_bad();117 printLine("Finished bad()");118#endif /* OMITBAD */119 return 0;120}121122#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__malloc_char_memcpy_01.c3Label Definition File: CWE126_Buffer_Overread__malloc.label.xml4Template File: sources-sink-01.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Use a small buffer10 * GoodSource: Use a large buffer11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 01 Baseline14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE126_Buffer_Overread__malloc_char_memcpy_01_bad()24{✓ 25 char * data;✓ 26 data = NULL;27 /* FLAW: Use a small buffer */✓ 28 data = (char *)malloc(50*sizeof(char));✓ 29 if (data == NULL) {exit(-1);}✓ 30 memset(data, 'A', 50-1); /* fill with 'A's */✓ 31 data[50-1] = '\0'; /* null terminate */32 {✓ 33 char dest[100];✓ 34 memset(dest, 'C', 100-1);✓ 35 dest[100-1] = '\0'; /* null terminate */36 /* POTENTIAL FLAW: using memcpy with the length of the dest where data37 * could be smaller than dest causing buffer overread */✓ 38 memcpy(dest, data, strlen(dest)*sizeof(char));❗VULN✓ 39 dest[100-1] = '\0';✓ 40 printLine(dest);✓ 41 free(data);42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* goodG2B uses the GoodSource with the BadSink */50static void goodG2B()51{52 char * data;53 data = NULL;54 /* FIX: Use a large buffer */55 data = (char *)malloc(100*sizeof(char));56 if (data == NULL) {exit(-1);}57 memset(data, 'A', 100-1); /* fill with 'A's */58 data[100-1] = '\0'; /* null terminate */59 {60 char dest[100];61 memset(dest, 'C', 100-1);62 dest[100-1] = '\0'; /* null terminate */63 /* POTENTIAL FLAW: using memcpy with the length of the dest where data64 * could be smaller than dest causing buffer overread */65 memcpy(dest, data, strlen(dest)*sizeof(char));66 dest[100-1] = '\0';67 printLine(dest);68 free(data);69 }70}7172void CWE126_Buffer_Overread__malloc_char_memcpy_01_good()73{74 goodG2B();75}7677#endif /* OMITGOOD */7879/* Below is the main(). It is only used when building this testcase on80 * its own for testing or for building a binary to use in testing binary81 * analysis tools. It is not used when compiling all the testcases as one82 * application, which is how source code analysis tools are tested.83 */8485#ifdef INCLUDEMAIN8687int main(int argc, char * argv[])88{89 /* seed randomness */90 srand( (unsigned)time(NULL) );91#ifndef OMITGOOD92 printLine("Calling good()...");93 CWE126_Buffer_Overread__malloc_char_memcpy_01_good();94 printLine("Finished good()");95#endif /* OMITGOOD */96#ifndef OMITBAD97 printLine("Calling bad()...");98 CWE126_Buffer_Overread__malloc_char_memcpy_01_bad();99 printLine("Finished bad()");100#endif /* OMITBAD */101 return 0;102}103104#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22a.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml4Template File: sources-sink-22a.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: ncat12 * BadSink : Copy data to string using strncat13 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223/* The global variable below is used to drive control flow in the source function */24int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_badGlobal = 0;2526char * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_badSource(char * data);2728void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_bad()29{✓ 30 char * data;✓ 31 data = (char *)malloc(100*sizeof(char));✓ 32 if (data == NULL) {exit(-1);}✓ 33 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_badGlobal = 1; /* true */✓ 34 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_badSource(data);35 {✓ 36 char dest[50] = "";37 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/✓ 38 strncat(dest, data, strlen(data));❗VULN✓ 39 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 40 printLine(data);✓ 41 free(data);42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* The global variables below are used to drive control flow in the source functions. */50int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B1Global = 0;51int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B2Global = 0;5253/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */54char * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B1Source(char * data);5556static void goodG2B1()57{58 char * data;59 data = (char *)malloc(100*sizeof(char));60 if (data == NULL) {exit(-1);}61 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B1Global = 0; /* false */62 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B1Source(data);63 {64 char dest[50] = "";65 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/66 strncat(dest, data, strlen(data));67 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */68 printLine(data);69 free(data);70 }71}7273/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */74char * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B2Source(char * data);7576static void goodG2B2()77{78 char * data;79 data = (char *)malloc(100*sizeof(char));80 if (data == NULL) {exit(-1);}81 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B2Global = 1; /* true */82 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B2Source(data);83 {84 char dest[50] = "";85 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/86 strncat(dest, data, strlen(data));87 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */88 printLine(data);89 free(data);90 }91}9293void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_good()94{95 goodG2B1();96 goodG2B2();97}9899#endif /* OMITGOOD */100101/* Below is the main(). It is only used when building this testcase on102 * its own for testing or for building a binary to use in testing binary103 * analysis tools. It is not used when compiling all the testcases as one104 * application, which is how source code analysis tools are tested.105 */106107#ifdef INCLUDEMAIN108109int main(int argc, char * argv[])110{111 /* seed randomness */112 srand( (unsigned)time(NULL) );113#ifndef OMITGOOD114 printLine("Calling good()...");115 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_good();116 printLine("Finished good()");117#endif /* OMITGOOD */118#ifndef OMITBAD119 printLine("Calling bad()...");120 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_bad();121 printLine("Finished bad()");122#endif /* OMITBAD */123 return 0;124}125126#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_memmove_10.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml4Template File: sources-sink-10.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Point data to a buffer that does not have space for a NULL terminator10 * GoodSource: Point data to a buffer that includes space for a NULL terminator11 * Sink: memmove12 * BadSink : Copy string to data using memmove()13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526#ifndef OMITBAD2728void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_memmove_10_bad()29{✓ 30 char * data;✓ 31 char dataBadBuffer[10];✓ 32 char dataGoodBuffer[10+1];✓ 33 if(globalTrue)34 {35 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing36 * string copies in the sinks */✓ 37 data = dataBadBuffer;✓ 38 data[0] = '\0'; /* null terminate */39 }40 {✓ 41 char source[10+1] = SRC_STRING;42 /* Copy length + 1 to include NUL terminator from source */43 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 44 memmove(data, source, (strlen(source) + 1) * sizeof(char));❗VULN✓ 45 printLine(data);46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */54static void goodG2B1()55{56 char * data;57 char dataBadBuffer[10];58 char dataGoodBuffer[10+1];59 if(globalFalse)60 {61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */62 printLine("Benign, fixed string");63 }64 else65 {66 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing67 * string copies in the sinks */68 data = dataGoodBuffer;69 data[0] = '\0'; /* null terminate */70 }71 {72 char source[10+1] = SRC_STRING;73 /* Copy length + 1 to include NUL terminator from source */74 /* POTENTIAL FLAW: data may not have enough space to hold source */75 memmove(data, source, (strlen(source) + 1) * sizeof(char));76 printLine(data);77 }78}7980/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */81static void goodG2B2()82{83 char * data;84 char dataBadBuffer[10];85 char dataGoodBuffer[10+1];86 if(globalTrue)87 {88 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing89 * string copies in the sinks */90 data = dataGoodBuffer;91 data[0] = '\0'; /* null terminate */92 }93 {94 char source[10+1] = SRC_STRING;95 /* Copy length + 1 to include NUL terminator from source */96 /* POTENTIAL FLAW: data may not have enough space to hold source */97 memmove(data, source, (strlen(source) + 1) * sizeof(char));98 printLine(data);99 }100}101102void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_memmove_10_good()103{104 goodG2B1();105 goodG2B2();106}107108#endif /* OMITGOOD */109110/* Below is the main(). It is only used when building this testcase on111 * its own for testing or for building a binary to use in testing binary112 * analysis tools. It is not used when compiling all the testcases as one113 * application, which is how source code analysis tools are tested.114 */115116#ifdef INCLUDEMAIN117118int main(int argc, char * argv[])119{120 /* seed randomness */121 srand( (unsigned)time(NULL) );122#ifndef OMITGOOD123 printLine("Calling good()...");124 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_memmove_10_good();125 printLine("Finished good()");126#endif /* OMITGOOD */127#ifndef OMITBAD128 printLine("Calling bad()...");129 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_memmove_10_bad();130 printLine("Finished bad()");131#endif /* OMITBAD */132 return 0;133}134135#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__wchar_t_alloca_memmove_31.c3Label Definition File: CWE126_Buffer_Overread.stack.label.xml4Template File: sources-sink-31.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Set data pointer to a small buffer10 * GoodSource: Set data pointer to a large buffer11 * Sinks: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 31 Data flow using a copy of data within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE126_Buffer_Overread__wchar_t_alloca_memmove_31_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));✓ 27 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 28 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */✓ 29 dataBadBuffer[50-1] = L'\0'; /* null terminate */✓ 30 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */✓ 31 dataGoodBuffer[100-1] = L'\0'; /* null terminate */32 /* FLAW: Set data pointer to a small buffer */✓ 33 data = dataBadBuffer;34 {✓ 35 wchar_t * dataCopy = data;✓ 36 wchar_t * data = dataCopy;37 {✓ 38 wchar_t dest[100];✓ 39 wmemset(dest, L'C', 100-1);✓ 40 dest[100-1] = L'\0'; /* null terminate */41 /* POTENTIAL FLAW: using memmove with the length of the dest where data42 * could be smaller than dest causing buffer overread */✓ 43 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN✓ 44 dest[100-1] = L'\0';✓ 45 printWLine(dest);46 }47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B() uses the GoodSource with the BadSink */55static void goodG2B()56{57 wchar_t * data;58 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));59 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));60 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */61 dataBadBuffer[50-1] = L'\0'; /* null terminate */62 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */63 dataGoodBuffer[100-1] = L'\0'; /* null terminate */64 /* FIX: Set data pointer to a large buffer */65 data = dataGoodBuffer;66 {67 wchar_t * dataCopy = data;68 wchar_t * data = dataCopy;69 {70 wchar_t dest[100];71 wmemset(dest, L'C', 100-1);72 dest[100-1] = L'\0'; /* null terminate */73 /* POTENTIAL FLAW: using memmove with the length of the dest where data74 * could be smaller than dest causing buffer overread */75 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));76 dest[100-1] = L'\0';77 printWLine(dest);78 }79 }80}8182void CWE126_Buffer_Overread__wchar_t_alloca_memmove_31_good()83{84 goodG2B();85}8687#endif /* OMITGOOD */8889/* Below is the main(). It is only used when building this testcase on90 * its own for testing or for building a binary to use in testing binary91 * analysis tools. It is not used when compiling all the testcases as one92 * application, which is how source code analysis tools are tested.93 */94#ifdef INCLUDEMAIN9596int main(int argc, char * argv[])97{98 /* seed randomness */99 srand( (unsigned)time(NULL) );100#ifndef OMITGOOD101 printLine("Calling good()...");102 CWE126_Buffer_Overread__wchar_t_alloca_memmove_31_good();103 printLine("Finished good()");104#endif /* OMITGOOD */105#ifndef OMITBAD106 printLine("Calling bad()...");107 CWE126_Buffer_Overread__wchar_t_alloca_memmove_31_bad();108 printLine("Finished bad()");109#endif /* OMITBAD */110 return 0;111}112113#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 17 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_15.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-15.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 15 Control flow: switch(6)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_15_bad()24{✓ 25 char * data;✓ 26 char dataBadBuffer[50];✓ 27 char dataGoodBuffer[100];✓ 28 switch(6)29 {✓ 30 case 6:31 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination32 * buffer in various memory copying functions using a "large" source buffer. */✓ 33 data = dataBadBuffer;✓ 34 data[0] = '\0'; /* null terminate */✓ 35 break;✓ 36 default:37 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 38 printLine("Benign, fixed string");✓ 39 break;40 }41 {✓ 42 char source[100];✓ 43 memset(source, 'C', 100-1); /* fill with 'C's */✓ 44 source[100-1] = '\0'; /* null terminate */45 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 46 memcpy(data, source, 100*sizeof(char));❗VULN✓ 47 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 48 printLine(data);49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B1() - use goodsource and badsink by changing the switch to switch(5) */57static void goodG2B1()58{59 char * data;60 char dataBadBuffer[50];61 char dataGoodBuffer[100];62 switch(5)63 {64 case 6:65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */66 printLine("Benign, fixed string");67 break;68 default:69 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */70 data = dataGoodBuffer;71 data[0] = '\0'; /* null terminate */72 break;73 }74 {75 char source[100];76 memset(source, 'C', 100-1); /* fill with 'C's */77 source[100-1] = '\0'; /* null terminate */78 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */79 memcpy(data, source, 100*sizeof(char));80 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */81 printLine(data);82 }83}8485/* goodG2B2() - use goodsource and badsink by reversing the blocks in the switch */86static void goodG2B2()87{88 char * data;89 char dataBadBuffer[50];90 char dataGoodBuffer[100];91 switch(6)92 {93 case 6:94 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */95 data = dataGoodBuffer;96 data[0] = '\0'; /* null terminate */97 break;98 default:99 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */100 printLine("Benign, fixed string");101 break;102 }103 {104 char source[100];105 memset(source, 'C', 100-1); /* fill with 'C's */106 source[100-1] = '\0'; /* null terminate */107 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */108 memcpy(data, source, 100*sizeof(char));109 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */110 printLine(data);111 }112}113114void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_15_good()115{116 goodG2B1();117 goodG2B2();118}119120#endif /* OMITGOOD */121122/* Below is the main(). It is only used when building this testcase on123 * its own for testing or for building a binary to use in testing binary124 * analysis tools. It is not used when compiling all the testcases as one125 * application, which is how source code analysis tools are tested.126 */127128#ifdef INCLUDEMAIN129130int main(int argc, char * argv[])131{132 /* seed randomness */133 srand( (unsigned)time(NULL) );134#ifndef OMITGOOD135 printLine("Calling good()...");136 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_15_good();137 printLine("Finished good()");138#endif /* OMITGOOD */139#ifndef OMITBAD140 printLine("Calling bad()...");141 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_15_bad();142 printLine("Finished bad()");143#endif /* OMITBAD */144 return 0;145}146147#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_07.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: loop12 * BadSink : Copy int array to data using a loop13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819/* The variable below is not declared "const", but is never assigned20 * any other value so a tool should be able to identify that reads of21 * this will always give its initialized value.22 */23static int staticFive = 5;2425#ifndef OMITBAD2627void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_07_bad()28{✓ 29 int * data;✓ 30 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));✓ 31 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));✓ 32 if(staticFive==5)33 {34 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination35 * buffer in various memory copying functions using a "large" source buffer. */✓ 36 data = dataBadBuffer;37 }38 {✓ 39 int source[100] = {0}; /* fill with 0's */40 {✓ 41 size_t i;42 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 43 for (i = 0; i < 100; i++)44 {✓ 45 data[i] = source[i];❗VULN46 }✓ 47 printIntLine(data[0]);48 }49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */57static void goodG2B1()58{59 int * data;60 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));61 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));62 if(staticFive!=5)63 {64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */65 printLine("Benign, fixed string");66 }67 else68 {69 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */70 data = dataGoodBuffer;71 }72 {73 int source[100] = {0}; /* fill with 0's */74 {75 size_t i;76 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */77 for (i = 0; i < 100; i++)78 {79 data[i] = source[i];80 }81 printIntLine(data[0]);82 }83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 int * data;90 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));91 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));92 if(staticFive==5)93 {94 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */95 data = dataGoodBuffer;96 }97 {98 int source[100] = {0}; /* fill with 0's */99 {100 size_t i;101 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */102 for (i = 0; i < 100; i++)103 {104 data[i] = source[i];105 }106 printIntLine(data[0]);107 }108 }109}110111void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_07_good()112{113 goodG2B1();114 goodG2B2();115}116117#endif /* OMITGOOD */118119/* Below is the main(). It is only used when building this testcase on120 * its own for testing or for building a binary to use in testing binary121 * analysis tools. It is not used when compiling all the testcases as one122 * application, which is how source code analysis tools are tested.123 */124125#ifdef INCLUDEMAIN126127int main(int argc, char * argv[])128{129 /* seed randomness */130 srand( (unsigned)time(NULL) );131#ifndef OMITGOOD132 printLine("Calling good()...");133 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_07_good();134 printLine("Finished good()");135#endif /* OMITGOOD */136#ifndef OMITBAD137 printLine("Calling bad()...");138 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_07_bad();139 printLine("Finished bad()");140#endif /* OMITBAD */141 return 0;142}143144#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__char_declare_memcpy_04.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-04.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are declared "const", so a tool should22 * be able to identify that reads of these will always return their23 * initialized values.24 */25static const int STATIC_CONST_TRUE = 1; /* true */26static const int STATIC_CONST_FALSE = 0; /* false */2728#ifndef OMITBAD2930void CWE127_Buffer_Underread__char_declare_memcpy_04_bad()31{✓ 32 char * data;✓ 33 char dataBuffer[100];✓ 34 memset(dataBuffer, 'A', 100-1);✓ 35 dataBuffer[100-1] = '\0';✓ 36 if(STATIC_CONST_TRUE)37 {38 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 39 data = dataBuffer - 8;40 }41 {✓ 42 char dest[100];✓ 43 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 44 dest[100-1] = '\0'; /* null terminate */45 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 46 memcpy(dest, data, 100*sizeof(char));❗VULN47 /* Ensure null termination */✓ 48 dest[100-1] = '\0';✓ 49 printLine(dest);50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */58static void goodG2B1()59{60 char * data;61 char dataBuffer[100];62 memset(dataBuffer, 'A', 100-1);63 dataBuffer[100-1] = '\0';64 if(STATIC_CONST_FALSE)65 {66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */67 printLine("Benign, fixed string");68 }69 else70 {71 /* FIX: Set data pointer to the allocated memory buffer */72 data = dataBuffer;73 }74 {75 char dest[100];76 memset(dest, 'C', 100-1); /* fill with 'C's */77 dest[100-1] = '\0'; /* null terminate */78 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */79 memcpy(dest, data, 100*sizeof(char));80 /* Ensure null termination */81 dest[100-1] = '\0';82 printLine(dest);83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 char * data;90 char dataBuffer[100];91 memset(dataBuffer, 'A', 100-1);92 dataBuffer[100-1] = '\0';93 if(STATIC_CONST_TRUE)94 {95 /* FIX: Set data pointer to the allocated memory buffer */96 data = dataBuffer;97 }98 {99 char dest[100];100 memset(dest, 'C', 100-1); /* fill with 'C's */101 dest[100-1] = '\0'; /* null terminate */102 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */103 memcpy(dest, data, 100*sizeof(char));104 /* Ensure null termination */105 dest[100-1] = '\0';106 printLine(dest);107 }108}109110void CWE127_Buffer_Underread__char_declare_memcpy_04_good()111{112 goodG2B1();113 goodG2B2();114}115116#endif /* OMITGOOD */117118/* Below is the main(). It is only used when building this testcase on119 * its own for testing or for building a binary to use in testing binary120 * analysis tools. It is not used when compiling all the testcases as one121 * application, which is how source code analysis tools are tested.122 */123124#ifdef INCLUDEMAIN125126int main(int argc, char * argv[])127{128 /* seed randomness */129 srand( (unsigned)time(NULL) );130#ifndef OMITGOOD131 printLine("Calling good()...");132 CWE127_Buffer_Underread__char_declare_memcpy_04_good();133 printLine("Finished good()");134#endif /* OMITGOOD */135#ifndef OMITBAD136 printLine("Calling bad()...");137 CWE127_Buffer_Underread__char_declare_memcpy_04_bad();138 printLine("Finished bad()");139#endif /* OMITBAD */140 return 0;141}142143#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 6 | Sink Nodes: 2 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-45.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sinks: swprintf12 * BadSink : Copy string to data using swprintf13 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snwprintf23#else24#define SNPRINTF swprintf25#endif2627static wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_badData;28static wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_goodG2BData;2930#ifndef OMITBAD3132static void badSink()33{✗ 34 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_badData;35 {✓ 36 wchar_t source[100];✓ 37 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 38 source[100-1] = L'\0'; /* null terminate */39 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 40 SNPRINTF(data, 100, L"%s", source);❗VULN✓ 41 printWLine(data);42 }43}4445void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_bad()46{47 wchar_t * data;48 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));49 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));50 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination51 * buffer in various memory copying functions using a "large" source buffer. */52 data = dataBadBuffer;53 data[0] = L'\0'; /* null terminate */54 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_badData = data;55 badSink();56}5758#endif /* OMITBAD */5960#ifndef OMITGOOD6162/* goodG2B() uses the GoodSource with the BadSink */63static void goodG2BSink()64{65 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_goodG2BData;66 {67 wchar_t source[100];68 wmemset(source, L'C', 100-1); /* fill with L'C's */69 source[100-1] = L'\0'; /* null terminate */70 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */71 SNPRINTF(data, 100, L"%s", source);72 printWLine(data);73 }74}7576static void goodG2B()77{78 wchar_t * data;79 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));80 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));81 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */82 data = dataGoodBuffer;83 data[0] = L'\0'; /* null terminate */84 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_goodG2BData = data;85 goodG2BSink();86}8788void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_good()89{90 goodG2B();91}9293#endif /* OMITGOOD */9495/* Below is the main(). It is only used when building this testcase on96 * its own for testing or for building a binary to use in testing binary97 * analysis tools. It is not used when compiling all the testcases as one98 * application, which is how source code analysis tools are tested.99 */100#ifdef INCLUDEMAIN101102int main(int argc, char * argv[])103{104 /* seed randomness */105 srand( (unsigned)time(NULL) );106#ifndef OMITGOOD107 printLine("Calling good()...");108 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_good();109 printLine("Finished good()");110#endif /* OMITGOOD */111#ifndef OMITBAD112 printLine("Calling bad()...");113 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_bad();114 printLine("Finished bad()");115#endif /* OMITBAD */116 return 0;117}118119#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_10.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml4Template File: sources-sink-10.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: ncat12 * BadSink : Copy string to data using strncat13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_10_bad()24{✓ 25 char * data;✓ 26 data = NULL;✓ 27 if(globalTrue)28 {29 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 30 data = (char *)malloc(50*sizeof(char));✓ 31 if (data == NULL) {exit(-1);}✓ 32 data[0] = '\0'; /* null terminate */33 }34 {✓ 35 char source[100];✓ 36 memset(source, 'C', 100-1); /* fill with 'C's */✓ 37 source[100-1] = '\0'; /* null terminate */38 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */✓ 39 strncat(data, source, 100);❗VULN✓ 40 printLine(data);✓ 41 free(data);42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */50static void goodG2B1()51{52 char * data;53 data = NULL;54 if(globalFalse)55 {56 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */57 printLine("Benign, fixed string");58 }59 else60 {61 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */62 data = (char *)malloc(100*sizeof(char));63 if (data == NULL) {exit(-1);}64 data[0] = '\0'; /* null terminate */65 }66 {67 char source[100];68 memset(source, 'C', 100-1); /* fill with 'C's */69 source[100-1] = '\0'; /* null terminate */70 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */71 strncat(data, source, 100);72 printLine(data);73 free(data);74 }75}7677/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */78static void goodG2B2()79{80 char * data;81 data = NULL;82 if(globalTrue)83 {84 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */85 data = (char *)malloc(100*sizeof(char));86 if (data == NULL) {exit(-1);}87 data[0] = '\0'; /* null terminate */88 }89 {90 char source[100];91 memset(source, 'C', 100-1); /* fill with 'C's */92 source[100-1] = '\0'; /* null terminate */93 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */94 strncat(data, source, 100);95 printLine(data);96 free(data);97 }98}99100void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_10_good()101{102 goodG2B1();103 goodG2B2();104}105106#endif /* OMITGOOD */107108/* Below is the main(). It is only used when building this testcase on109 * its own for testing or for building a binary to use in testing binary110 * analysis tools. It is not used when compiling all the testcases as one111 * application, which is how source code analysis tools are tested.112 */113114#ifdef INCLUDEMAIN115116int main(int argc, char * argv[])117{118 /* seed randomness */119 srand( (unsigned)time(NULL) );120#ifndef OMITGOOD121 printLine("Calling good()...");122 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_10_good();123 printLine("Finished good()");124#endif /* OMITGOOD */125#ifndef OMITBAD126 printLine("Calling bad()...");127 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_10_bad();128 printLine("Finished bad()");129#endif /* OMITBAD */130 return 0;131}132133#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml4Template File: sources-sink-34.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sinks: cpy12 * BadSink : Copy string to data using strcpy()13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526typedef union27{28 char * unionFirst;29 char * unionSecond;30} CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_unionType;3132#ifndef OMITBAD3334void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_bad()35{✓ 36 char * data;✓ 37 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_unionType myUnion;✓ 38 data = NULL;39 /* FLAW: Did not leave space for a null terminator */✓ 40 data = (char *)malloc(10*sizeof(char));✓ 41 if (data == NULL) {exit(-1);}✓ 42 myUnion.unionFirst = data;43 {✓ 44 char * data = myUnion.unionSecond;45 {✓ 46 char source[10+1] = SRC_STRING;47 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 48 strcpy(data, source);❗VULN✓ 49 printLine(data);✓ 50 free(data);51 }52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* goodG2B() uses the GoodSource with the BadSink */60static void goodG2B()61{62 char * data;63 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_unionType myUnion;64 data = NULL;65 /* FIX: Allocate space for a null terminator */66 data = (char *)malloc((10+1)*sizeof(char));67 if (data == NULL) {exit(-1);}68 myUnion.unionFirst = data;69 {70 char * data = myUnion.unionSecond;71 {72 char source[10+1] = SRC_STRING;73 /* POTENTIAL FLAW: data may not have enough space to hold source */74 strcpy(data, source);75 printLine(data);76 free(data);77 }78 }79}8081void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_good()82{83 goodG2B();84}8586#endif /* OMITGOOD */8788/* Below is the main(). It is only used when building this testcase on89 * its own for testing or for building a binary to use in testing binary90 * analysis tools. It is not used when compiling all the testcases as one91 * application, which is how source code analysis tools are tested.92 */93#ifdef INCLUDEMAIN9495int main(int argc, char * argv[])96{97 /* seed randomness */98 srand( (unsigned)time(NULL) );99#ifndef OMITGOOD100 printLine("Calling good()...");101 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_good();102 printLine("Finished good()");103#endif /* OMITGOOD */104#ifndef OMITBAD105 printLine("Calling bad()...");106 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_bad();107 printLine("Finished bad()");108#endif /* OMITBAD */109 return 0;110}111112#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 20 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__wchar_t_alloca_loop_08.c3Label Definition File: CWE126_Buffer_Overread.stack.label.xml4Template File: sources-sink-08.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Set data pointer to a small buffer10 * GoodSource: Set data pointer to a large buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two function below always return the same value, so a tool22 * should be able to identify that calls to the functions will always23 * return a fixed value.24 */25static int staticReturnsTrue()26{27 return 1;28}2930static int staticReturnsFalse()31{32 return 0;33}3435#ifndef OMITBAD3637void CWE126_Buffer_Overread__wchar_t_alloca_loop_08_bad()38{✓ 39 wchar_t * data;✓ 40 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));✓ 41 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 42 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */✓ 43 dataBadBuffer[50-1] = L'\0'; /* null terminate */✓ 44 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */✓ 45 dataGoodBuffer[100-1] = L'\0'; /* null terminate */✓ 46 if(staticReturnsTrue())47 {48 /* FLAW: Set data pointer to a small buffer */✓ 49 data = dataBadBuffer;50 }51 {✓ 52 size_t i, destLen;✓ 53 wchar_t dest[100];✓ 54 wmemset(dest, L'C', 100-1);✓ 55 dest[100-1] = L'\0'; /* null terminate */✓ 56 destLen = wcslen(dest);57 /* POTENTIAL FLAW: using length of the dest where data58 * could be smaller than dest causing buffer overread */✓ 59 for (i = 0; i < destLen; i++)60 {✓ 61 dest[i] = data[i];❗VULN62 }✓ 63 dest[100-1] = L'\0';✓ 64 printWLine(dest);65 }66}6768#endif /* OMITBAD */6970#ifndef OMITGOOD7172/* goodG2B1() - use goodsource and badsink by changing the staticReturnsTrue() to staticReturnsFalse() */73static void goodG2B1()74{75 wchar_t * data;76 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));77 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));78 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */79 dataBadBuffer[50-1] = L'\0'; /* null terminate */80 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */81 dataGoodBuffer[100-1] = L'\0'; /* null terminate */82 if(staticReturnsFalse())83 {84 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */85 printLine("Benign, fixed string");86 }87 else88 {89 /* FIX: Set data pointer to a large buffer */90 data = dataGoodBuffer;91 }92 {93 size_t i, destLen;94 wchar_t dest[100];95 wmemset(dest, L'C', 100-1);96 dest[100-1] = L'\0'; /* null terminate */97 destLen = wcslen(dest);98 /* POTENTIAL FLAW: using length of the dest where data99 * could be smaller than dest causing buffer overread */100 for (i = 0; i < destLen; i++)101 {102 dest[i] = data[i];103 }104 dest[100-1] = L'\0';105 printWLine(dest);106 }107}108109/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */110static void goodG2B2()111{112 wchar_t * data;113 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));114 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));115 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */116 dataBadBuffer[50-1] = L'\0'; /* null terminate */117 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */118 dataGoodBuffer[100-1] = L'\0'; /* null terminate */119 if(staticReturnsTrue())120 {121 /* FIX: Set data pointer to a large buffer */122 data = dataGoodBuffer;123 }124 {125 size_t i, destLen;126 wchar_t dest[100];127 wmemset(dest, L'C', 100-1);128 dest[100-1] = L'\0'; /* null terminate */129 destLen = wcslen(dest);130 /* POTENTIAL FLAW: using length of the dest where data131 * could be smaller than dest causing buffer overread */132 for (i = 0; i < destLen; i++)133 {134 dest[i] = data[i];135 }136 dest[100-1] = L'\0';137 printWLine(dest);138 }139}140141void CWE126_Buffer_Overread__wchar_t_alloca_loop_08_good()142{143 goodG2B1();144 goodG2B2();145}146147#endif /* OMITGOOD */148149/* Below is the main(). It is only used when building this testcase on150 * its own for testing or for building a binary to use in testing binary151 * analysis tools. It is not used when compiling all the testcases as one152 * application, which is how source code analysis tools are tested.153 */154155#ifdef INCLUDEMAIN156157int main(int argc, char * argv[])158{159 /* seed randomness */160 srand( (unsigned)time(NULL) );161#ifndef OMITGOOD162 printLine("Calling good()...");163 CWE126_Buffer_Overread__wchar_t_alloca_loop_08_good();164 printLine("Finished good()");165#endif /* OMITGOOD */166#ifndef OMITBAD167 printLine("Calling bad()...");168 CWE126_Buffer_Overread__wchar_t_alloca_loop_08_bad();169 printLine("Finished bad()");170#endif /* OMITBAD */171 return 0;172}173174#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memmove_05.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml4Template File: sources-sink-05.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: memmove12 * BadSink : Copy int64_t array to data using memmove13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819/* The two variables below are not defined as "const", but are never20 * assigned any other value, so a tool should be able to identify that21 * reads of these will always return their initialized values.22 */23static int staticTrue = 1; /* true */24static int staticFalse = 0; /* false */2526#ifndef OMITBAD2728void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memmove_05_bad()29{✓ 30 int64_t * data;✓ 31 data = NULL;✓ 32 if(staticTrue)33 {34 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 35 data = (int64_t *)malloc(50*sizeof(int64_t));✓ 36 if (data == NULL) {exit(-1);}37 }38 {✓ 39 int64_t source[100] = {0}; /* fill with 0's */40 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 41 memmove(data, source, 100*sizeof(int64_t));❗VULN✓ 42 printLongLongLine(data[0]);✓ 43 free(data);44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */52static void goodG2B1()53{54 int64_t * data;55 data = NULL;56 if(staticFalse)57 {58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */59 printLine("Benign, fixed string");60 }61 else62 {63 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */64 data = (int64_t *)malloc(100*sizeof(int64_t));65 if (data == NULL) {exit(-1);}66 }67 {68 int64_t source[100] = {0}; /* fill with 0's */69 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */70 memmove(data, source, 100*sizeof(int64_t));71 printLongLongLine(data[0]);72 free(data);73 }74}7576/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */77static void goodG2B2()78{79 int64_t * data;80 data = NULL;81 if(staticTrue)82 {83 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */84 data = (int64_t *)malloc(100*sizeof(int64_t));85 if (data == NULL) {exit(-1);}86 }87 {88 int64_t source[100] = {0}; /* fill with 0's */89 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */90 memmove(data, source, 100*sizeof(int64_t));91 printLongLongLine(data[0]);92 free(data);93 }94}9596void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memmove_05_good()97{98 goodG2B1();99 goodG2B2();100}101102#endif /* OMITGOOD */103104/* Below is the main(). It is only used when building this testcase on105 * its own for testing or for building a binary to use in testing binary106 * analysis tools. It is not used when compiling all the testcases as one107 * application, which is how source code analysis tools are tested.108 */109110#ifdef INCLUDEMAIN111112int main(int argc, char * argv[])113{114 /* seed randomness */115 srand( (unsigned)time(NULL) );116#ifndef OMITGOOD117 printLine("Calling good()...");118 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memmove_05_good();119 printLine("Finished good()");120#endif /* OMITGOOD */121#ifndef OMITBAD122 printLine("Calling bad()...");123 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memmove_05_bad();124 printLine("Finished bad()");125#endif /* OMITBAD */126 return 0;127}128129#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_17.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_dest.label.xml4Template File: sources-sink-17.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: cpy12 * BadSink : Copy string to data using wcscpy13 * Flow Variant: 17 Control flow: for loops14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_1722{2324#ifndef OMITBAD2526void bad()27{✓ 28 int i;✓ 29 wchar_t * data;✓ 30 data = NULL;✓ 31 for(i = 0; i < 1; i++)32 {33 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 34 data = new wchar_t[50];✓ 35 data[0] = L'\0'; /* null terminate */36 }37 {✓ 38 wchar_t source[100];✓ 39 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 40 source[100-1] = L'\0'; /* null terminate */41 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 42 wcscpy(data, source);❗VULN✓ 43 printWLine(data);✓ 44 delete [] data;45 }46}4748#endif /* OMITBAD */4950#ifndef OMITGOOD5152/* goodG2B() - use goodsource in the for statement */53static void goodG2B()54{55 int h;56 wchar_t * data;57 data = NULL;58 for(h = 0; h < 1; h++)59 {60 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */61 data = new wchar_t[100];62 data[0] = L'\0'; /* null terminate */63 }64 {65 wchar_t source[100];66 wmemset(source, L'C', 100-1); /* fill with L'C's */67 source[100-1] = L'\0'; /* null terminate */68 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */69 wcscpy(data, source);70 printWLine(data);71 delete [] data;72 }73}7475void good()76{77 goodG2B();78}7980#endif /* OMITGOOD */8182} /* close namespace */8384/* Below is the main(). It is only used when building this testcase on85 its own for testing or for building a binary to use in testing binary86 analysis tools. It is not used when compiling all the testcases as one87 application, which is how source code analysis tools are tested. */8889#ifdef INCLUDEMAIN9091using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_17; /* so that we can use good and bad easily */9293int main(int argc, char * argv[])94{95 /* seed randomness */96 srand( (unsigned)time(NULL) );97#ifndef OMITGOOD98 printLine("Calling good()...");99 good();100 printLine("Finished good()");101#endif /* OMITGOOD */102#ifndef OMITBAD103 printLine("Calling bad()...");104 bad();105 printLine("Finished bad()");106#endif /* OMITBAD */107 return 0;108}109110#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_12.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml4Template File: sources-sink-12.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Point data to a buffer that does not have space for a NULL terminator10 * GoodSource: Point data to a buffer that includes space for a NULL terminator11 * Sink: loop12 * BadSink : Copy array to data using a loop13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING L"AAAAAAAAAA"2526#ifndef OMITBAD2728void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_12_bad()29{✓ 30 wchar_t * data;✓ 31 wchar_t dataBadBuffer[10];✓ 32 wchar_t dataGoodBuffer[10+1];✓ 33 if(globalReturnsTrueOrFalse())34 {35 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing36 * string copies in the sinks */✓ 37 data = dataBadBuffer;✓ 38 data[0] = L'\0'; /* null terminate */39 }40 else41 {42 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing43 * string copies in the sinks */✓ 44 data = dataGoodBuffer;✓ 45 data[0] = L'\0'; /* null terminate */46 }47 {✓ 48 wchar_t source[10+1] = SRC_STRING;✓ 49 size_t i, sourceLen;✓ 50 sourceLen = wcslen(source);51 /* Copy length + 1 to include NUL terminator from source */52 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 53 for (i = 0; i < sourceLen + 1; i++)54 {✓ 55 data[i] = source[i];❗VULN56 }✓ 57 printWLine(data);58 }59}6061#endif /* OMITBAD */6263#ifndef OMITGOOD6465/* goodG2B() - use goodsource and badsink by changing the "if" so that66 * both branches use the GoodSource */67static void goodG2B()68{69 wchar_t * data;70 wchar_t dataBadBuffer[10];71 wchar_t dataGoodBuffer[10+1];72 if(globalReturnsTrueOrFalse())73 {74 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing75 * string copies in the sinks */76 data = dataGoodBuffer;77 data[0] = L'\0'; /* null terminate */78 }79 else80 {81 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing82 * string copies in the sinks */83 data = dataGoodBuffer;84 data[0] = L'\0'; /* null terminate */85 }86 {87 wchar_t source[10+1] = SRC_STRING;88 size_t i, sourceLen;89 sourceLen = wcslen(source);90 /* Copy length + 1 to include NUL terminator from source */91 /* POTENTIAL FLAW: data may not have enough space to hold source */92 for (i = 0; i < sourceLen + 1; i++)93 {94 data[i] = source[i];95 }96 printWLine(data);97 }98}99100void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_12_good()101{102 goodG2B();103}104105#endif /* OMITGOOD */106107/* Below is the main(). It is only used when building this testcase on108 * its own for testing or for building a binary to use in testing binary109 * analysis tools. It is not used when compiling all the testcases as one110 * application, which is how source code analysis tools are tested.111 */112113#ifdef INCLUDEMAIN114115int main(int argc, char * argv[])116{117 /* seed randomness */118 srand( (unsigned)time(NULL) );119#ifndef OMITGOOD120 printLine("Calling good()...");121 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_12_good();122 printLine("Finished good()");123#endif /* OMITGOOD */124#ifndef OMITBAD125 printLine("Calling bad()...");126 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_12_bad();127 printLine("Finished bad()");128#endif /* OMITBAD */129 return 0;130}131132#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__char_declare_ncpy_08.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-08.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: ncpy12 * BadSink : Copy data to string using strncpy13 * Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two function below always return the same value, so a tool22 * should be able to identify that calls to the functions will always23 * return a fixed value.24 */25static int staticReturnsTrue()26{27 return 1;28}2930static int staticReturnsFalse()31{32 return 0;33}3435#ifndef OMITBAD3637void CWE127_Buffer_Underread__char_declare_ncpy_08_bad()38{✓ 39 char * data;✓ 40 char dataBuffer[100];✓ 41 memset(dataBuffer, 'A', 100-1);✓ 42 dataBuffer[100-1] = '\0';✓ 43 if(staticReturnsTrue())44 {45 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 46 data = dataBuffer - 8;47 }48 {✓ 49 char dest[100];✓ 50 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 51 dest[100-1] = '\0'; /* null terminate */52 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 53 strncpy(dest, data, strlen(dest));❗VULN54 /* Ensure null termination */✓ 55 dest[100-1] = '\0';✓ 56 printLine(dest);57 }58}5960#endif /* OMITBAD */6162#ifndef OMITGOOD6364/* goodG2B1() - use goodsource and badsink by changing the staticReturnsTrue() to staticReturnsFalse() */65static void goodG2B1()66{67 char * data;68 char dataBuffer[100];69 memset(dataBuffer, 'A', 100-1);70 dataBuffer[100-1] = '\0';71 if(staticReturnsFalse())72 {73 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */74 printLine("Benign, fixed string");75 }76 else77 {78 /* FIX: Set data pointer to the allocated memory buffer */79 data = dataBuffer;80 }81 {82 char dest[100];83 memset(dest, 'C', 100-1); /* fill with 'C's */84 dest[100-1] = '\0'; /* null terminate */85 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */86 strncpy(dest, data, strlen(dest));87 /* Ensure null termination */88 dest[100-1] = '\0';89 printLine(dest);90 }91}9293/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */94static void goodG2B2()95{96 char * data;97 char dataBuffer[100];98 memset(dataBuffer, 'A', 100-1);99 dataBuffer[100-1] = '\0';100 if(staticReturnsTrue())101 {102 /* FIX: Set data pointer to the allocated memory buffer */103 data = dataBuffer;104 }105 {106 char dest[100];107 memset(dest, 'C', 100-1); /* fill with 'C's */108 dest[100-1] = '\0'; /* null terminate */109 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */110 strncpy(dest, data, strlen(dest));111 /* Ensure null termination */112 dest[100-1] = '\0';113 printLine(dest);114 }115}116117void CWE127_Buffer_Underread__char_declare_ncpy_08_good()118{119 goodG2B1();120 goodG2B2();121}122123#endif /* OMITGOOD */124125/* Below is the main(). It is only used when building this testcase on126 * its own for testing or for building a binary to use in testing binary127 * analysis tools. It is not used when compiling all the testcases as one128 * application, which is how source code analysis tools are tested.129 */130131#ifdef INCLUDEMAIN132133int main(int argc, char * argv[])134{135 /* seed randomness */136 srand( (unsigned)time(NULL) );137#ifndef OMITGOOD138 printLine("Calling good()...");139 CWE127_Buffer_Underread__char_declare_ncpy_08_good();140 printLine("Finished good()");141#endif /* OMITGOOD */142#ifndef OMITBAD143 printLine("Calling bad()...");144 CWE127_Buffer_Underread__char_declare_ncpy_08_bad();145 printLine("Finished bad()");146#endif /* OMITBAD */147 return 0;148}149150#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memcpy_33.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml4Template File: sources-sink-33.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sinks: memcpy12 * BadSink : Copy string to data using memcpy()13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING L"AAAAAAAAAA"2526namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memcpy_3327{2829#ifndef OMITBAD3031void bad()32{✓ 33 wchar_t * data;✓ 34 wchar_t * &dataRef = data;✓ 35 data = NULL;36 /* FLAW: Did not leave space for a null terminator */✓ 37 data = new wchar_t[10];38 {✓ 39 wchar_t * data = dataRef;40 {✓ 41 wchar_t source[10+1] = SRC_STRING;42 /* Copy length + 1 to include NUL terminator from source */43 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 44 memcpy(data, source, (wcslen(source) + 1) * sizeof(wchar_t));❗VULN✓ 45 printWLine(data);✓ 46 delete [] data;47 }48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B() uses the GoodSource with the BadSink */56static void goodG2B()57{58 wchar_t * data;59 wchar_t * &dataRef = data;60 data = NULL;61 /* FIX: Allocate space for a null terminator */62 data = new wchar_t[10+1];63 {64 wchar_t * data = dataRef;65 {66 wchar_t source[10+1] = SRC_STRING;67 /* Copy length + 1 to include NUL terminator from source */68 /* POTENTIAL FLAW: data may not have enough space to hold source */69 memcpy(data, source, (wcslen(source) + 1) * sizeof(wchar_t));70 printWLine(data);71 delete [] data;72 }73 }74}7576void good()77{78 goodG2B();79}8081#endif /* OMITGOOD */8283} /* close namespace */8485/* Below is the main(). It is only used when building this testcase on86 its own for testing or for building a binary to use in testing binary87 analysis tools. It is not used when compiling all the testcases as one88 application, which is how source code analysis tools are tested. */89#ifdef INCLUDEMAIN9091using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memcpy_33; /* so that we can use good and bad easily */9293int main(int argc, char * argv[])94{95 /* seed randomness */96 srand( (unsigned)time(NULL) );97#ifndef OMITGOOD98 printLine("Calling good()...");99 good();100 printLine("Finished good()");101#endif /* OMITGOOD */102#ifndef OMITBAD103 printLine("Calling bad()...");104 bad();105 printLine("Finished bad()");106#endif /* OMITBAD */107 return 0;108}109110#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncat_17.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-17.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: ncat12 * BadSink : Copy string to data using wcsncat13 * Flow Variant: 17 Control flow: for loops14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncat_17_bad()24{✓ 25 int i;✓ 26 wchar_t * data;✓ 27 wchar_t dataBadBuffer[50];✓ 28 wchar_t dataGoodBuffer[100];✓ 29 for(i = 0; i < 1; i++)30 {31 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination32 * buffer in various memory copying functions using a "large" source buffer. */✓ 33 data = dataBadBuffer;✓ 34 data[0] = L'\0'; /* null terminate */35 }36 {✓ 37 wchar_t source[100];✓ 38 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 39 source[100-1] = L'\0'; /* null terminate */40 /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */✓ 41 wcsncat(data, source, 100);❗VULN✓ 42 printWLine(data);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */51static void goodG2B()52{53 int h;54 wchar_t * data;55 wchar_t dataBadBuffer[50];56 wchar_t dataGoodBuffer[100];57 for(h = 0; h < 1; h++)58 {59 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */60 data = dataGoodBuffer;61 data[0] = L'\0'; /* null terminate */62 }63 {64 wchar_t source[100];65 wmemset(source, L'C', 100-1); /* fill with L'C's */66 source[100-1] = L'\0'; /* null terminate */67 /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */68 wcsncat(data, source, 100);69 printWLine(data);70 }71}7273void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncat_17_good()74{75 goodG2B();76}7778#endif /* OMITGOOD */7980/* Below is the main(). It is only used when building this testcase on81 * its own for testing or for building a binary to use in testing binary82 * analysis tools. It is not used when compiling all the testcases as one83 * application, which is how source code analysis tools are tested.84 */8586#ifdef INCLUDEMAIN8788int main(int argc, char * argv[])89{90 /* seed randomness */91 srand( (unsigned)time(NULL) );92#ifndef OMITGOOD93 printLine("Calling good()...");94 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncat_17_good();95 printLine("Finished good()");96#endif /* OMITGOOD */97#ifndef OMITBAD98 printLine("Calling bad()...");99 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncat_17_bad();100 printLine("Finished bad()");101#endif /* OMITBAD */102 return 0;103}104105#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-34.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sinks: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021typedef union22{23 wchar_t * unionFirst;24 wchar_t * unionSecond;25} CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_unionType;2627#ifndef OMITBAD2829void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_bad()30{✓ 31 wchar_t * data;✓ 32 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_unionType myUnion;✓ 33 wchar_t dataBuffer[100];✓ 34 data = dataBuffer;35 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 36 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 37 data[100-1] = L'\0'; /* null terminate */✓ 38 myUnion.unionFirst = data;39 {✓ 40 wchar_t * data = myUnion.unionSecond;41 {✓ 42 wchar_t dest[50] = L"";43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 44 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN✓ 45 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 46 printWLine(data);47 }48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B() uses the GoodSource with the BadSink */56static void goodG2B()57{58 wchar_t * data;59 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_unionType myUnion;60 wchar_t dataBuffer[100];61 data = dataBuffer;62 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */63 wmemset(data, L'A', 50-1); /* fill with L'A's */64 data[50-1] = L'\0'; /* null terminate */65 myUnion.unionFirst = data;66 {67 wchar_t * data = myUnion.unionSecond;68 {69 wchar_t dest[50] = L"";70 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */71 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));72 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */73 printWLine(data);74 }75 }76}7778void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_good()79{80 goodG2B();81}8283#endif /* OMITGOOD */8485/* Below is the main(). It is only used when building this testcase on86 * its own for testing or for building a binary to use in testing binary87 * analysis tools. It is not used when compiling all the testcases as one88 * application, which is how source code analysis tools are tested.89 */90#ifdef INCLUDEMAIN9192int main(int argc, char * argv[])93{94 /* seed randomness */95 srand( (unsigned)time(NULL) );96#ifndef OMITGOOD97 printLine("Calling good()...");98 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_good();99 printLine("Finished good()");100#endif /* OMITGOOD */101#ifndef OMITBAD102 printLine("Calling bad()...");103 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_bad();104 printLine("Finished bad()");105#endif /* OMITBAD */106 return 0;107}108109#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_09.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml4Template File: sources-sink-09.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_0922{2324#ifndef OMITBAD2526void bad()27{✓ 28 char * data;✓ 29 data = new char[100];✓ 30 if(GLOBAL_CONST_TRUE)31 {32 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 33 memset(data, 'A', 100-1); /* fill with 'A's */✓ 34 data[100-1] = '\0'; /* null terminate */35 }36 {✓ 37 char dest[50] = "";38 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 39 memcpy(dest, data, strlen(data)*sizeof(char));❗VULN✓ 40 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 41 printLine(data);✓ 42 delete [] data;43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */51static void goodG2B1()52{53 char * data;54 data = new char[100];55 if(GLOBAL_CONST_FALSE)56 {57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */58 printLine("Benign, fixed string");59 }60 else61 {62 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */63 memset(data, 'A', 50-1); /* fill with 'A's */64 data[50-1] = '\0'; /* null terminate */65 }66 {67 char dest[50] = "";68 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */69 memcpy(dest, data, strlen(data)*sizeof(char));70 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */71 printLine(data);72 delete [] data;73 }74}7576/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */77static void goodG2B2()78{79 char * data;80 data = new char[100];81 if(GLOBAL_CONST_TRUE)82 {83 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */84 memset(data, 'A', 50-1); /* fill with 'A's */85 data[50-1] = '\0'; /* null terminate */86 }87 {88 char dest[50] = "";89 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */90 memcpy(dest, data, strlen(data)*sizeof(char));91 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */92 printLine(data);93 delete [] data;94 }95}9697void good()98{99 goodG2B1();100 goodG2B2();101}102103#endif /* OMITGOOD */104105} /* close namespace */106107/* Below is the main(). It is only used when building this testcase on108 its own for testing or for building a binary to use in testing binary109 analysis tools. It is not used when compiling all the testcases as one110 application, which is how source code analysis tools are tested. */111112#ifdef INCLUDEMAIN113114using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_09; /* so that we can use good and bad easily */115116int main(int argc, char * argv[])117{118 /* seed randomness */119 srand( (unsigned)time(NULL) );120#ifndef OMITGOOD121 printLine("Calling good()...");122 good();123 printLine("Finished good()");124#endif /* OMITGOOD */125#ifndef OMITBAD126 printLine("Calling bad()...");127 bad();128 printLine("Finished bad()");129#endif /* OMITBAD */130 return 0;131}132133#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_10.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml4Template File: sources-sink-10.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Point data to a buffer that does not have space for a NULL terminator10 * GoodSource: Point data to a buffer that includes space for a NULL terminator11 * Sink: ncpy12 * BadSink : Copy string to data using strncpy()13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526#ifndef OMITBAD2728void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_10_bad()29{✓ 30 char * data;✓ 31 char dataBadBuffer[10];✓ 32 char dataGoodBuffer[10+1];✓ 33 if(globalTrue)34 {35 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing36 * string copies in the sinks */✓ 37 data = dataBadBuffer;✓ 38 data[0] = '\0'; /* null terminate */39 }40 {✓ 41 char source[10+1] = SRC_STRING;42 /* Copy length + 1 to include NUL terminator from source */43 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 44 strncpy(data, source, strlen(source) + 1);❗VULN✓ 45 printLine(data);46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */54static void goodG2B1()55{56 char * data;57 char dataBadBuffer[10];58 char dataGoodBuffer[10+1];59 if(globalFalse)60 {61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */62 printLine("Benign, fixed string");63 }64 else65 {66 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing67 * string copies in the sinks */68 data = dataGoodBuffer;69 data[0] = '\0'; /* null terminate */70 }71 {72 char source[10+1] = SRC_STRING;73 /* Copy length + 1 to include NUL terminator from source */74 /* POTENTIAL FLAW: data may not have enough space to hold source */75 strncpy(data, source, strlen(source) + 1);76 printLine(data);77 }78}7980/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */81static void goodG2B2()82{83 char * data;84 char dataBadBuffer[10];85 char dataGoodBuffer[10+1];86 if(globalTrue)87 {88 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing89 * string copies in the sinks */90 data = dataGoodBuffer;91 data[0] = '\0'; /* null terminate */92 }93 {94 char source[10+1] = SRC_STRING;95 /* Copy length + 1 to include NUL terminator from source */96 /* POTENTIAL FLAW: data may not have enough space to hold source */97 strncpy(data, source, strlen(source) + 1);98 printLine(data);99 }100}101102void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_10_good()103{104 goodG2B1();105 goodG2B2();106}107108#endif /* OMITGOOD */109110/* Below is the main(). It is only used when building this testcase on111 * its own for testing or for building a binary to use in testing binary112 * analysis tools. It is not used when compiling all the testcases as one113 * application, which is how source code analysis tools are tested.114 */115116#ifdef INCLUDEMAIN117118int main(int argc, char * argv[])119{120 /* seed randomness */121 srand( (unsigned)time(NULL) );122#ifndef OMITGOOD123 printLine("Calling good()...");124 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_10_good();125 printLine("Finished good()");126#endif /* OMITGOOD */127#ifndef OMITBAD128 printLine("Calling bad()...");129 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_10_bad();130 printLine("Finished bad()");131#endif /* OMITBAD */132 return 0;133}134135#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__char_declare_ncpy_16.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-16.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: ncpy12 * BadSink : Copy data to string using strncpy13 * Flow Variant: 16 Control flow: while(1)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__char_declare_ncpy_16_bad()24{✓ 25 char * data;✓ 26 char dataBuffer[100];✓ 27 memset(dataBuffer, 'A', 100-1);✓ 28 dataBuffer[100-1] = '\0';✓ 29 while(1)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;✓ 33 break;34 }35 {✓ 36 char dest[100];✓ 37 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 38 dest[100-1] = '\0'; /* null terminate */39 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 40 strncpy(dest, data, strlen(dest));❗VULN41 /* Ensure null termination */✓ 42 dest[100-1] = '\0';✓ 43 printLine(dest);44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */52static void goodG2B()53{54 char * data;55 char dataBuffer[100];56 memset(dataBuffer, 'A', 100-1);57 dataBuffer[100-1] = '\0';58 while(1)59 {60 /* FIX: Set data pointer to the allocated memory buffer */61 data = dataBuffer;62 break;63 }64 {65 char dest[100];66 memset(dest, 'C', 100-1); /* fill with 'C's */67 dest[100-1] = '\0'; /* null terminate */68 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */69 strncpy(dest, data, strlen(dest));70 /* Ensure null termination */71 dest[100-1] = '\0';72 printLine(dest);73 }74}7576void CWE127_Buffer_Underread__char_declare_ncpy_16_good()77{78 goodG2B();79}8081#endif /* OMITGOOD */8283/* Below is the main(). It is only used when building this testcase on84 * its own for testing or for building a binary to use in testing binary85 * analysis tools. It is not used when compiling all the testcases as one86 * application, which is how source code analysis tools are tested.87 */8889#ifdef INCLUDEMAIN9091int main(int argc, char * argv[])92{93 /* seed randomness */94 srand( (unsigned)time(NULL) );95#ifndef OMITGOOD96 printLine("Calling good()...");97 CWE127_Buffer_Underread__char_declare_ncpy_16_good();98 printLine("Finished good()");99#endif /* OMITGOOD */100#ifndef OMITBAD101 printLine("Calling bad()...");102 CWE127_Buffer_Underread__char_declare_ncpy_16_bad();103 printLine("Finished bad()");104#endif /* OMITBAD */105 return 0;106}107108#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__char_declare_cpy_10.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-10.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: cpy12 * BadSink : Copy data to string using strcpy13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__char_declare_cpy_10_bad()24{✓ 25 char * data;✓ 26 char dataBuffer[100];✓ 27 memset(dataBuffer, 'A', 100-1);✓ 28 dataBuffer[100-1] = '\0';✓ 29 if(globalTrue)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;33 }34 {✓ 35 char dest[100*2];✓ 36 memset(dest, 'C', 100*2-1); /* fill with 'C's */✓ 37 dest[100*2-1] = '\0'; /* null terminate */38 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 39 strcpy(dest, data);❗VULN✓ 40 printLine(dest);41 }42}4344#endif /* OMITBAD */4546#ifndef OMITGOOD4748/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */49static void goodG2B1()50{51 char * data;52 char dataBuffer[100];53 memset(dataBuffer, 'A', 100-1);54 dataBuffer[100-1] = '\0';55 if(globalFalse)56 {57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */58 printLine("Benign, fixed string");59 }60 else61 {62 /* FIX: Set data pointer to the allocated memory buffer */63 data = dataBuffer;64 }65 {66 char dest[100*2];67 memset(dest, 'C', 100*2-1); /* fill with 'C's */68 dest[100*2-1] = '\0'; /* null terminate */69 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */70 strcpy(dest, data);71 printLine(dest);72 }73}7475/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */76static void goodG2B2()77{78 char * data;79 char dataBuffer[100];80 memset(dataBuffer, 'A', 100-1);81 dataBuffer[100-1] = '\0';82 if(globalTrue)83 {84 /* FIX: Set data pointer to the allocated memory buffer */85 data = dataBuffer;86 }87 {88 char dest[100*2];89 memset(dest, 'C', 100*2-1); /* fill with 'C's */90 dest[100*2-1] = '\0'; /* null terminate */91 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */92 strcpy(dest, data);93 printLine(dest);94 }95}9697void CWE127_Buffer_Underread__char_declare_cpy_10_good()98{99 goodG2B1();100 goodG2B2();101}102103#endif /* OMITGOOD */104105/* Below is the main(). It is only used when building this testcase on106 * its own for testing or for building a binary to use in testing binary107 * analysis tools. It is not used when compiling all the testcases as one108 * application, which is how source code analysis tools are tested.109 */110111#ifdef INCLUDEMAIN112113int main(int argc, char * argv[])114{115 /* seed randomness */116 srand( (unsigned)time(NULL) );117#ifndef OMITGOOD118 printLine("Calling good()...");119 CWE127_Buffer_Underread__char_declare_cpy_10_good();120 printLine("Finished good()");121#endif /* OMITGOOD */122#ifndef OMITBAD123 printLine("Calling bad()...");124 CWE127_Buffer_Underread__char_declare_cpy_10_bad();125 printLine("Finished bad()");126#endif /* OMITBAD */127 return 0;128}129130#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 7 predicted, 2 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_07.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__sizeof.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize the source buffer using the size of a pointer10 * GoodSource: Initialize the source buffer using the size of the DataElementType11 * Sink:12 * BadSink : Print then free data13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819/* The variable below is not declared "const", but is never assigned20 * any other value so a tool should be able to identify that reads of21 * this will always give its initialized value.22 */23static int staticFive = 5;2425#ifndef OMITBAD2627void CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_07_bad()28{✓ 29 int64_t * data;30 /* Initialize data */✓ 31 data = NULL;✗ 32 if(staticFive==5)33 {34 /* INCIDENTAL: CWE-467 (Use of sizeof() on a pointer type) */35 /* FLAW: Using sizeof the pointer and not the data type in malloc() */✗ 36 data = (int64_t *)malloc(sizeof(data));✗ 37 if (data == NULL) {exit(-1);}✓ 38 *data = 2147483643LL;❗VULN39 }40 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */✓ 41 printLongLongLine(*data);❗VULN✗ 42 free(data);43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */50static void goodG2B1()51{52 int64_t * data;53 /* Initialize data */54 data = NULL;55 if(staticFive!=5)56 {57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */58 printLine("Benign, fixed string");59 }60 else61 {62 /* FIX: Using sizeof the data type in malloc() */63 data = (int64_t *)malloc(sizeof(*data));64 if (data == NULL) {exit(-1);}65 *data = 2147483643LL;66 }67 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */68 printLongLongLine(*data);69 free(data);70}7172/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */73static void goodG2B2()74{75 int64_t * data;76 /* Initialize data */77 data = NULL;78 if(staticFive==5)79 {80 /* FIX: Using sizeof the data type in malloc() */81 data = (int64_t *)malloc(sizeof(*data));82 if (data == NULL) {exit(-1);}83 *data = 2147483643LL;84 }85 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */86 printLongLongLine(*data);87 free(data);88}8990void CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_07_good()91{92 goodG2B1();93 goodG2B2();94}9596#endif /* OMITGOOD */9798/* Below is the main(). It is only used when building this testcase on99 * its own for testing or for building a binary to use in testing binary100 * analysis tools. It is not used when compiling all the testcases as one101 * application, which is how source code analysis tools are tested.102 */103104#ifdef INCLUDEMAIN105106int main(int argc, char * argv[])107{108 /* seed randomness */109 srand( (unsigned)time(NULL) );110#ifndef OMITGOOD111 printLine("Calling good()...");112 CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_07_good();113 printLine("Finished good()");114#endif /* OMITGOOD */115#ifndef OMITBAD116 printLine("Calling bad()...");117 CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_07_bad();118 printLine("Finished bad()");119#endif /* OMITBAD */120 return 0;121}122123#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_12.c3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml4Template File: sources-sink-12.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_12_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 27 wmemset(dataBuffer, L'A', 100-1);✓ 28 dataBuffer[100-1] = L'\0';✓ 29 if(globalReturnsTrueOrFalse())30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;33 }34 else35 {36 /* FIX: Set data pointer to the allocated memory buffer */✓ 37 data = dataBuffer;38 }39 {✓ 40 wchar_t source[100];✓ 41 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 42 source[100-1] = L'\0'; /* null terminate */43 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 44 memcpy(data, source, 100*sizeof(wchar_t));❗VULN45 /* Ensure the destination buffer is null terminated */✓ 46 data[100-1] = L'\0';✓ 47 printWLine(data);48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B() - use goodsource and badsink by changing the "if" so that56 * both branches use the GoodSource */57static void goodG2B()58{59 wchar_t * data;60 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));61 wmemset(dataBuffer, L'A', 100-1);62 dataBuffer[100-1] = L'\0';63 if(globalReturnsTrueOrFalse())64 {65 /* FIX: Set data pointer to the allocated memory buffer */66 data = dataBuffer;67 }68 else69 {70 /* FIX: Set data pointer to the allocated memory buffer */71 data = dataBuffer;72 }73 {74 wchar_t source[100];75 wmemset(source, L'C', 100-1); /* fill with 'C's */76 source[100-1] = L'\0'; /* null terminate */77 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */78 memcpy(data, source, 100*sizeof(wchar_t));79 /* Ensure the destination buffer is null terminated */80 data[100-1] = L'\0';81 printWLine(data);82 }83}8485void CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_12_good()86{87 goodG2B();88}8990#endif /* OMITGOOD */9192/* Below is the main(). It is only used when building this testcase on93 * its own for testing or for building a binary to use in testing binary94 * analysis tools. It is not used when compiling all the testcases as one95 * application, which is how source code analysis tools are tested.96 */9798#ifdef INCLUDEMAIN99100int main(int argc, char * argv[])101{102 /* seed randomness */103 srand( (unsigned)time(NULL) );104#ifndef OMITGOOD105 printLine("Calling good()...");106 CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_12_good();107 printLine("Finished good()");108#endif /* OMITGOOD */109#ifndef OMITBAD110 printLine("Calling bad()...");111 CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_12_bad();112 printLine("Finished bad()");113#endif /* OMITBAD */114 return 0;115}116117#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 17 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncat_15.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml4Template File: sources-sink-15.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: ncat12 * BadSink : Copy data to string using wcsncat13 * Flow Variant: 15 Control flow: switch(6)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncat_15_bad()24{✓ 25 wchar_t * data;✓ 26 data = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 27 if (data == NULL) {exit(-1);}✓ 28 switch(6)29 {✓ 30 case 6:31 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 32 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 33 data[100-1] = L'\0'; /* null terminate */✓ 34 break;✓ 35 default:36 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 37 printLine("Benign, fixed string");✓ 38 break;39 }40 {✓ 41 wchar_t dest[50] = L"";42 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/✓ 43 wcsncat(dest, data, wcslen(data));❗VULN✓ 44 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 45 printWLine(data);✓ 46 free(data);47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B1() - use goodsource and badsink by changing the switch to switch(5) */55static void goodG2B1()56{57 wchar_t * data;58 data = (wchar_t *)malloc(100*sizeof(wchar_t));59 if (data == NULL) {exit(-1);}60 switch(5)61 {62 case 6:63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 break;66 default:67 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */68 wmemset(data, L'A', 50-1); /* fill with L'A's */69 data[50-1] = L'\0'; /* null terminate */70 break;71 }72 {73 wchar_t dest[50] = L"";74 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/75 wcsncat(dest, data, wcslen(data));76 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */77 printWLine(data);78 free(data);79 }80}8182/* goodG2B2() - use goodsource and badsink by reversing the blocks in the switch */83static void goodG2B2()84{85 wchar_t * data;86 data = (wchar_t *)malloc(100*sizeof(wchar_t));87 if (data == NULL) {exit(-1);}88 switch(6)89 {90 case 6:91 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */92 wmemset(data, L'A', 50-1); /* fill with L'A's */93 data[50-1] = L'\0'; /* null terminate */94 break;95 default:96 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */97 printLine("Benign, fixed string");98 break;99 }100 {101 wchar_t dest[50] = L"";102 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/103 wcsncat(dest, data, wcslen(data));104 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */105 printWLine(data);106 free(data);107 }108}109110void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncat_15_good()111{112 goodG2B1();113 goodG2B2();114}115116#endif /* OMITGOOD */117118/* Below is the main(). It is only used when building this testcase on119 * its own for testing or for building a binary to use in testing binary120 * analysis tools. It is not used when compiling all the testcases as one121 * application, which is how source code analysis tools are tested.122 */123124#ifdef INCLUDEMAIN125126int main(int argc, char * argv[])127{128 /* seed randomness */129 srand( (unsigned)time(NULL) );130#ifndef OMITGOOD131 printLine("Calling good()...");132 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncat_15_good();133 printLine("Finished good()");134#endif /* OMITGOOD */135#ifndef OMITBAD136 printLine("Calling bad()...");137 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncat_15_bad();138 printLine("Finished bad()");139#endif /* OMITBAD */140 return 0;141}142143#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_05.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-05.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: loop12 * BadSink : Copy int64_t array to data using a loop13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819/* The two variables below are not defined as "const", but are never20 * assigned any other value, so a tool should be able to identify that21 * reads of these will always return their initialized values.22 */23static int staticTrue = 1; /* true */24static int staticFalse = 0; /* false */2526#ifndef OMITBAD2728void CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_05_bad()29{✓ 30 int64_t * data;✓ 31 int64_t dataBadBuffer[50];✓ 32 int64_t dataGoodBuffer[100];✓ 33 if(staticTrue)34 {35 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination36 * buffer in various memory copying functions using a "large" source buffer. */✓ 37 data = dataBadBuffer;38 }39 {✓ 40 int64_t source[100] = {0}; /* fill with 0's */41 {✓ 42 size_t i;43 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 44 for (i = 0; i < 100; i++)45 {✓ 46 data[i] = source[i];❗VULN47 }✓ 48 printLongLongLine(data[0]);49 }50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */58static void goodG2B1()59{60 int64_t * data;61 int64_t dataBadBuffer[50];62 int64_t dataGoodBuffer[100];63 if(staticFalse)64 {65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */66 printLine("Benign, fixed string");67 }68 else69 {70 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */71 data = dataGoodBuffer;72 }73 {74 int64_t source[100] = {0}; /* fill with 0's */75 {76 size_t i;77 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */78 for (i = 0; i < 100; i++)79 {80 data[i] = source[i];81 }82 printLongLongLine(data[0]);83 }84 }85}8687/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */88static void goodG2B2()89{90 int64_t * data;91 int64_t dataBadBuffer[50];92 int64_t dataGoodBuffer[100];93 if(staticTrue)94 {95 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */96 data = dataGoodBuffer;97 }98 {99 int64_t source[100] = {0}; /* fill with 0's */100 {101 size_t i;102 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */103 for (i = 0; i < 100; i++)104 {105 data[i] = source[i];106 }107 printLongLongLine(data[0]);108 }109 }110}111112void CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_05_good()113{114 goodG2B1();115 goodG2B2();116}117118#endif /* OMITGOOD */119120/* Below is the main(). It is only used when building this testcase on121 * its own for testing or for building a binary to use in testing binary122 * analysis tools. It is not used when compiling all the testcases as one123 * application, which is how source code analysis tools are tested.124 */125126#ifdef INCLUDEMAIN127128int main(int argc, char * argv[])129{130 /* seed randomness */131 srand( (unsigned)time(NULL) );132#ifndef OMITGOOD133 printLine("Calling good()...");134 CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_05_good();135 printLine("Finished good()");136#endif /* OMITGOOD */137#ifndef OMITBAD138 printLine("Calling bad()...");139 CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_05_bad();140 printLine("Finished bad()");141#endif /* OMITBAD */142 return 0;143}144145#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 8 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_14.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-14.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: memcpy12 * BadSink : Copy int array to data using memcpy13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_14_bad()22{✓ 23 int * data;✓ 24 int dataBadBuffer[50];✓ 25 int dataGoodBuffer[100];✓ 26 if(globalFive==5)27 {28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination29 * buffer in various memory copying functions using a "large" source buffer. */✓ 30 data = dataBadBuffer;31 }32 {✓ 33 int source[100] = {0}; /* fill with 0's */34 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 35 memcpy(data, source, 100*sizeof(int));❗VULN✓ 36 printIntLine(data[0]);37 }38}3940#endif /* OMITBAD */4142#ifndef OMITGOOD4344/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */45static void goodG2B1()46{47 int * data;48 int dataBadBuffer[50];49 int dataGoodBuffer[100];50 if(globalFive!=5)51 {52 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */53 printLine("Benign, fixed string");54 }55 else56 {57 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */58 data = dataGoodBuffer;59 }60 {61 int source[100] = {0}; /* fill with 0's */62 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */63 memcpy(data, source, 100*sizeof(int));64 printIntLine(data[0]);65 }66}6768/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */69static void goodG2B2()70{71 int * data;72 int dataBadBuffer[50];73 int dataGoodBuffer[100];74 if(globalFive==5)75 {76 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */77 data = dataGoodBuffer;78 }79 {80 int source[100] = {0}; /* fill with 0's */81 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */82 memcpy(data, source, 100*sizeof(int));83 printIntLine(data[0]);84 }85}8687void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_14_good()88{89 goodG2B1();90 goodG2B2();91}9293#endif /* OMITGOOD */9495/* Below is the main(). It is only used when building this testcase on96 * its own for testing or for building a binary to use in testing binary97 * analysis tools. It is not used when compiling all the testcases as one98 * application, which is how source code analysis tools are tested.99 */100101#ifdef INCLUDEMAIN102103int main(int argc, char * argv[])104{105 /* seed randomness */106 srand( (unsigned)time(NULL) );107#ifndef OMITGOOD108 printLine("Calling good()...");109 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_14_good();110 printLine("Finished good()");111#endif /* OMITGOOD */112#ifndef OMITBAD113 printLine("Calling bad()...");114 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_14_bad();115 printLine("Finished bad()");116#endif /* OMITBAD */117 return 0;118}119120#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_loop_02.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-02.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 02 Control flow: if(1) and if(0)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_loop_0222{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 data = NULL;✓ 30 if(1)31 {32 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 33 data = new wchar_t[50];✓ 34 data[0] = L'\0'; /* null terminate */35 }36 {✓ 37 size_t i;✓ 38 wchar_t source[100];✓ 39 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 40 source[100-1] = L'\0'; /* null terminate */41 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 42 for (i = 0; i < 100; i++)43 {✓ 44 data[i] = source[i];❗VULN45 }✓ 46 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 47 printWLine(data);✓ 48 delete [] data;49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */57static void goodG2B1()58{59 wchar_t * data;60 data = NULL;61 if(0)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */69 data = new wchar_t[100];70 data[0] = L'\0'; /* null terminate */71 }72 {73 size_t i;74 wchar_t source[100];75 wmemset(source, L'C', 100-1); /* fill with L'C's */76 source[100-1] = L'\0'; /* null terminate */77 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */78 for (i = 0; i < 100; i++)79 {80 data[i] = source[i];81 }82 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */83 printWLine(data);84 delete [] data;85 }86}8788/* goodG2B2() - use goodsource and badsink by reversing the statements in the if */89static void goodG2B2()90{91 wchar_t * data;92 data = NULL;93 if(1)94 {95 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */96 data = new wchar_t[100];97 data[0] = L'\0'; /* null terminate */98 }99 {100 size_t i;101 wchar_t source[100];102 wmemset(source, L'C', 100-1); /* fill with L'C's */103 source[100-1] = L'\0'; /* null terminate */104 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */105 for (i = 0; i < 100; i++)106 {107 data[i] = source[i];108 }109 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */110 printWLine(data);111 delete [] data;112 }113}114115void good()116{117 goodG2B1();118 goodG2B2();119}120121#endif /* OMITGOOD */122123} /* close namespace */124125/* Below is the main(). It is only used when building this testcase on126 its own for testing or for building a binary to use in testing binary127 analysis tools. It is not used when compiling all the testcases as one128 application, which is how source code analysis tools are tested. */129130#ifdef INCLUDEMAIN131132using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_loop_02; /* so that we can use good and bad easily */133134int main(int argc, char * argv[])135{136 /* seed randomness */137 srand( (unsigned)time(NULL) );138#ifndef OMITGOOD139 printLine("Calling good()...");140 good();141 printLine("Finished good()");142#endif /* OMITGOOD */143#ifndef OMITBAD144 printLine("Calling bad()...");145 bad();146 printLine("Finished bad()");147#endif /* OMITBAD */148 return 0;149}150151#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 17 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_loop_42.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml4Template File: sources-sink-42.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: loop12 * BadSink : Copy twoIntsStruct array to data using a loop13 * Flow Variant: 42 Data flow: data returned from one function to another in the same source file14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021static twoIntsStruct * badSource(twoIntsStruct * data)22{23 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */24 data = (twoIntsStruct *)malloc(50*sizeof(twoIntsStruct));25 if (data == NULL) {exit(-1);}26 return data;27}2829void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_loop_42_bad()30{✓ 31 twoIntsStruct * data;✓ 32 data = NULL;✓ 33 data = badSource(data);34 {✓ 35 twoIntsStruct source[100];36 {✓ 37 size_t i;38 /* Initialize array */✓ 39 for (i = 0; i < 100; i++)40 {✓ 41 source[i].intOne = 0;✓ 42 source[i].intTwo = 0;43 }44 }45 {✓ 46 size_t i;47 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 48 for (i = 0; i < 100; i++)49 {✓ 50 data[i] = source[i];❗VULN51 }✓ 52 printStructLine(&data[0]);✓ 53 free(data);54 }55 }56}5758#endif /* OMITBAD */5960#ifndef OMITGOOD6162static twoIntsStruct * goodG2BSource(twoIntsStruct * data)63{64 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */65 data = (twoIntsStruct *)malloc(100*sizeof(twoIntsStruct));66 if (data == NULL) {exit(-1);}67 return data;68}6970/* goodG2B uses the GoodSource with the BadSink */71static void goodG2B()72{73 twoIntsStruct * data;74 data = NULL;75 data = goodG2BSource(data);76 {77 twoIntsStruct source[100];78 {79 size_t i;80 /* Initialize array */81 for (i = 0; i < 100; i++)82 {83 source[i].intOne = 0;84 source[i].intTwo = 0;85 }86 }87 {88 size_t i;89 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */90 for (i = 0; i < 100; i++)91 {92 data[i] = source[i];93 }94 printStructLine(&data[0]);95 free(data);96 }97 }98}99100void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_loop_42_good()101{102 goodG2B();103}104105#endif /* OMITGOOD */106107/* Below is the main(). It is only used when building this testcase on108 * its own for testing or for building a binary to use in testing binary109 * analysis tools. It is not used when compiling all the testcases as one110 * application, which is how source code analysis tools are tested.111 */112113#ifdef INCLUDEMAIN114115int main(int argc, char * argv[])116{117 /* seed randomness */118 srand( (unsigned)time(NULL) );119#ifndef OMITGOOD120 printLine("Calling good()...");121 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_loop_42_good();122 printLine("Finished good()");123#endif /* OMITGOOD */124#ifndef OMITBAD125 printLine("Calling bad()...");126 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_loop_42_bad();127 printLine("Finished bad()");128#endif /* OMITBAD */129 return 0;130}131132#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_loop_05.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-05.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are not defined as "const", but are never22 assigned any other value, so a tool should be able to identify that23 reads of these will always return their initialized values. */24static int staticTrue = 1; /* true */25static int staticFalse = 0; /* false */2627namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_loop_0528{2930#ifndef OMITBAD3132void bad()33{✓ 34 char * data;✓ 35 data = NULL;✓ 36 if(staticTrue)37 {38 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 39 data = new char[50];✓ 40 data[0] = '\0'; /* null terminate */41 }42 {✓ 43 size_t i;✓ 44 char source[100];✓ 45 memset(source, 'C', 100-1); /* fill with 'C's */✓ 46 source[100-1] = '\0'; /* null terminate */47 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 48 for (i = 0; i < 100; i++)49 {✓ 50 data[i] = source[i];❗VULN51 }✓ 52 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 53 printLine(data);✓ 54 delete [] data;55 }56}5758#endif /* OMITBAD */5960#ifndef OMITGOOD6162/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */63static void goodG2B1()64{65 char * data;66 data = NULL;67 if(staticFalse)68 {69 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */70 printLine("Benign, fixed string");71 }72 else73 {74 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */75 data = new char[100];76 data[0] = '\0'; /* null terminate */77 }78 {79 size_t i;80 char source[100];81 memset(source, 'C', 100-1); /* fill with 'C's */82 source[100-1] = '\0'; /* null terminate */83 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */84 for (i = 0; i < 100; i++)85 {86 data[i] = source[i];87 }88 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */89 printLine(data);90 delete [] data;91 }92}9394/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */95static void goodG2B2()96{97 char * data;98 data = NULL;99 if(staticTrue)100 {101 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */102 data = new char[100];103 data[0] = '\0'; /* null terminate */104 }105 {106 size_t i;107 char source[100];108 memset(source, 'C', 100-1); /* fill with 'C's */109 source[100-1] = '\0'; /* null terminate */110 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */111 for (i = 0; i < 100; i++)112 {113 data[i] = source[i];114 }115 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */116 printLine(data);117 delete [] data;118 }119}120121void good()122{123 goodG2B1();124 goodG2B2();125}126127#endif /* OMITGOOD */128129} /* close namespace */130131/* Below is the main(). It is only used when building this testcase on132 its own for testing or for building a binary to use in testing binary133 analysis tools. It is not used when compiling all the testcases as one134 application, which is how source code analysis tools are tested. */135136#ifdef INCLUDEMAIN137138using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_loop_05; /* so that we can use good and bad easily */139140int main(int argc, char * argv[])141{142 /* seed randomness */143 srand( (unsigned)time(NULL) );144#ifndef OMITGOOD145 printLine("Calling good()...");146 good();147 printLine("Finished good()");148#endif /* OMITGOOD */149#ifndef OMITBAD150 printLine("Calling bad()...");151 bad();152 printLine("Finished bad()");153#endif /* OMITBAD */154 return 0;155}156157#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__new_char_memmove_31.cpp3Label Definition File: CWE126_Buffer_Overread__new.label.xml4Template File: sources-sink-31.tmpl.cpp5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Use a small buffer10 * GoodSource: Use a large buffer11 * Sinks: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 31 Data flow using a copy of data within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE126_Buffer_Overread__new_char_memmove_3122{2324#ifndef OMITBAD2526void bad()27{✓ 28 char * data;✓ 29 data = NULL;30 /* FLAW: Use a small buffer */✓ 31 data = new char[50];✓ 32 memset(data, 'A', 50-1); /* fill with 'A's */✓ 33 data[50-1] = '\0'; /* null terminate */34 {✓ 35 char * dataCopy = data;✓ 36 char * data = dataCopy;37 {✓ 38 char dest[100];✓ 39 memset(dest, 'C', 100-1);✓ 40 dest[100-1] = '\0'; /* null terminate */41 /* POTENTIAL FLAW: using memmove with the length of the dest where data42 * could be smaller than dest causing buffer overread */✓ 43 memmove(dest, data, strlen(dest)*sizeof(char));❗VULN✓ 44 dest[100-1] = '\0';✓ 45 printLine(dest);✓ 46 delete [] data;47 }48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B() uses the GoodSource with the BadSink */56static void goodG2B()57{58 char * data;59 data = NULL;60 /* FIX: Use a large buffer */61 data = new char[100];62 memset(data, 'A', 100-1); /* fill with 'A's */63 data[100-1] = '\0'; /* null terminate */64 {65 char * dataCopy = data;66 char * data = dataCopy;67 {68 char dest[100];69 memset(dest, 'C', 100-1);70 dest[100-1] = '\0'; /* null terminate */71 /* POTENTIAL FLAW: using memmove with the length of the dest where data72 * could be smaller than dest causing buffer overread */73 memmove(dest, data, strlen(dest)*sizeof(char));74 dest[100-1] = '\0';75 printLine(dest);76 delete [] data;77 }78 }79}8081void good()82{83 goodG2B();84}8586#endif /* OMITGOOD */8788} /* close namespace */8990/* Below is the main(). It is only used when building this testcase on91 its own for testing or for building a binary to use in testing binary92 analysis tools. It is not used when compiling all the testcases as one93 application, which is how source code analysis tools are tested. */94#ifdef INCLUDEMAIN9596using namespace CWE126_Buffer_Overread__new_char_memmove_31; /* so that we can use good and bad easily */9798int main(int argc, char * argv[])99{100 /* seed randomness */101 srand( (unsigned)time(NULL) );102#ifndef OMITGOOD103 printLine("Calling good()...");104 good();105 printLine("Finished good()");106#endif /* OMITGOOD */107#ifndef OMITBAD108 printLine("Calling bad()...");109 bad();110 printLine("Finished bad()");111#endif /* OMITBAD */112 return 0;113}114115#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 17 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_32.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml4Template File: sources-sink-32.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: cat12 * BadSink : Copy string to data using wcscat13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_32_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * *dataPtr1 = &data;✓ 27 wchar_t * *dataPtr2 = &data;✓ 28 data = NULL;29 {✓ 30 wchar_t * data = *dataPtr1;31 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 32 data = (wchar_t *)malloc(50*sizeof(wchar_t));✓ 33 if (data == NULL) {exit(-1);}✓ 34 data[0] = L'\0'; /* null terminate */✓ 35 *dataPtr1 = data;36 }37 {✓ 38 wchar_t * data = *dataPtr2;39 {✓ 40 wchar_t source[100];✓ 41 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 42 source[100-1] = L'\0'; /* null terminate */43 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */✓ 44 wcscat(data, source);❗VULN✓ 45 printWLine(data);✓ 46 free(data);47 }48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B() uses the GoodSource with the BadSink */56static void goodG2B()57{58 wchar_t * data;59 wchar_t * *dataPtr1 = &data;60 wchar_t * *dataPtr2 = &data;61 data = NULL;62 {63 wchar_t * data = *dataPtr1;64 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */65 data = (wchar_t *)malloc(100*sizeof(wchar_t));66 if (data == NULL) {exit(-1);}67 data[0] = L'\0'; /* null terminate */68 *dataPtr1 = data;69 }70 {71 wchar_t * data = *dataPtr2;72 {73 wchar_t source[100];74 wmemset(source, L'C', 100-1); /* fill with L'C's */75 source[100-1] = L'\0'; /* null terminate */76 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */77 wcscat(data, source);78 printWLine(data);79 free(data);80 }81 }82}8384void CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_32_good()85{86 goodG2B();87}8889#endif /* OMITGOOD */9091/* Below is the main(). It is only used when building this testcase on92 * its own for testing or for building a binary to use in testing binary93 * analysis tools. It is not used when compiling all the testcases as one94 * application, which is how source code analysis tools are tested.95 */96#ifdef INCLUDEMAIN9798int main(int argc, char * argv[])99{100 /* seed randomness */101 srand( (unsigned)time(NULL) );102#ifndef OMITGOOD103 printLine("Calling good()...");104 CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_32_good();105 printLine("Finished good()");106#endif /* OMITGOOD */107#ifndef OMITBAD108 printLine("Calling bad()...");109 CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_32_bad();110 printLine("Finished bad()");111#endif /* OMITBAD */112 return 0;113}114115#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memmove_31.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml4Template File: sources-sink-31.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sinks: memmove12 * BadSink : Copy string to data using memmove()13 * Flow Variant: 31 Data flow using a copy of data within the same function14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING L"AAAAAAAAAA"2526namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memmove_3127{2829#ifndef OMITBAD3031void bad()32{✓ 33 wchar_t * data;✓ 34 data = NULL;35 /* FLAW: Did not leave space for a null terminator */✓ 36 data = new wchar_t[10];37 {✓ 38 wchar_t * dataCopy = data;✓ 39 wchar_t * data = dataCopy;40 {✓ 41 wchar_t source[10+1] = SRC_STRING;42 /* Copy length + 1 to include NUL terminator from source */43 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 44 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));❗VULN✓ 45 printWLine(data);✓ 46 delete [] data;47 }48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B() uses the GoodSource with the BadSink */56static void goodG2B()57{58 wchar_t * data;59 data = NULL;60 /* FIX: Allocate space for a null terminator */61 data = new wchar_t[10+1];62 {63 wchar_t * dataCopy = data;64 wchar_t * data = dataCopy;65 {66 wchar_t source[10+1] = SRC_STRING;67 /* Copy length + 1 to include NUL terminator from source */68 /* POTENTIAL FLAW: data may not have enough space to hold source */69 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));70 printWLine(data);71 delete [] data;72 }73 }74}7576void good()77{78 goodG2B();79}8081#endif /* OMITGOOD */8283} /* close namespace */8485/* Below is the main(). It is only used when building this testcase on86 its own for testing or for building a binary to use in testing binary87 analysis tools. It is not used when compiling all the testcases as one88 application, which is how source code analysis tools are tested. */89#ifdef INCLUDEMAIN9091using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memmove_31; /* so that we can use good and bad easily */9293int main(int argc, char * argv[])94{95 /* seed randomness */96 srand( (unsigned)time(NULL) );97#ifndef OMITGOOD98 printLine("Calling good()...");99 good();100 printLine("Finished good()");101#endif /* OMITGOOD */102#ifndef OMITBAD103 printLine("Calling bad()...");104 bad();105 printLine("Finished bad()");106#endif /* OMITBAD */107 return 0;108}109110#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_01.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml4Template File: sources-sink-01.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: cat12 * BadSink : Copy string to data using wcscat13 * Flow Variant: 01 Baseline14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_01_bad()24{✓ 25 wchar_t * data;✓ 26 data = NULL;27 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 28 data = (wchar_t *)malloc(50*sizeof(wchar_t));✓ 29 if (data == NULL) {exit(-1);}✓ 30 data[0] = L'\0'; /* null terminate */31 {✓ 32 wchar_t source[100];✓ 33 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 34 source[100-1] = L'\0'; /* null terminate */35 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */✓ 36 wcscat(data, source);❗VULN✓ 37 printWLine(data);✓ 38 free(data);39 }40}4142#endif /* OMITBAD */4344#ifndef OMITGOOD4546/* goodG2B uses the GoodSource with the BadSink */47static void goodG2B()48{49 wchar_t * data;50 data = NULL;51 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */52 data = (wchar_t *)malloc(100*sizeof(wchar_t));53 if (data == NULL) {exit(-1);}54 data[0] = L'\0'; /* null terminate */55 {56 wchar_t source[100];57 wmemset(source, L'C', 100-1); /* fill with L'C's */58 source[100-1] = L'\0'; /* null terminate */59 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */60 wcscat(data, source);61 printWLine(data);62 free(data);63 }64}6566void CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_01_good()67{68 goodG2B();69}7071#endif /* OMITGOOD */7273/* Below is the main(). It is only used when building this testcase on74 * its own for testing or for building a binary to use in testing binary75 * analysis tools. It is not used when compiling all the testcases as one76 * application, which is how source code analysis tools are tested.77 */7879#ifdef INCLUDEMAIN8081int main(int argc, char * argv[])82{83 /* seed randomness */84 srand( (unsigned)time(NULL) );85#ifndef OMITGOOD86 printLine("Calling good()...");87 CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_01_good();88 printLine("Finished good()");89#endif /* OMITGOOD */90#ifndef OMITBAD91 printLine("Calling bad()...");92 CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_01_bad();93 printLine("Finished bad()");94#endif /* OMITBAD */95 return 0;96}9798#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-45.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sinks: loop12 * BadSink : Copy twoIntsStruct array to data using a loop13 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file14 *15 * */1617#include "std_testcase.h"1819static twoIntsStruct * CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_badData;20static twoIntsStruct * CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_goodG2BData;2122#ifndef OMITBAD2324static void badSink()25{✓ 26 twoIntsStruct * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_badData;27 {✓ 28 twoIntsStruct source[100];29 {✓ 30 size_t i;31 /* Initialize array */✓ 32 for (i = 0; i < 100; i++)33 {✓ 34 source[i].intOne = 0;✓ 35 source[i].intTwo = 0;36 }37 }38 {✓ 39 size_t i;40 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 41 for (i = 0; i < 100; i++)42 {✓ 43 data[i] = source[i];❗VULN44 }✓ 45 printStructLine(&data[0]);46 }47 }48}4950void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_bad()51{52 twoIntsStruct * data;53 twoIntsStruct dataBadBuffer[50];54 twoIntsStruct dataGoodBuffer[100];55 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination56 * buffer in various memory copying functions using a "large" source buffer. */57 data = dataBadBuffer;58 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_badData = data;59 badSink();60}6162#endif /* OMITBAD */6364#ifndef OMITGOOD6566/* goodG2B() uses the GoodSource with the BadSink */67static void goodG2BSink()68{69 twoIntsStruct * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_goodG2BData;70 {71 twoIntsStruct source[100];72 {73 size_t i;74 /* Initialize array */75 for (i = 0; i < 100; i++)76 {77 source[i].intOne = 0;78 source[i].intTwo = 0;79 }80 }81 {82 size_t i;83 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */84 for (i = 0; i < 100; i++)85 {86 data[i] = source[i];87 }88 printStructLine(&data[0]);89 }90 }91}9293static void goodG2B()94{95 twoIntsStruct * data;96 twoIntsStruct dataBadBuffer[50];97 twoIntsStruct dataGoodBuffer[100];98 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */99 data = dataGoodBuffer;100 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_goodG2BData = data;101 goodG2BSink();102}103104void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_good()105{106 goodG2B();107}108109#endif /* OMITGOOD */110111/* Below is the main(). It is only used when building this testcase on112 * its own for testing or for building a binary to use in testing binary113 * analysis tools. It is not used when compiling all the testcases as one114 * application, which is how source code analysis tools are tested.115 */116#ifdef INCLUDEMAIN117118int main(int argc, char * argv[])119{120 /* seed randomness */121 srand( (unsigned)time(NULL) );122#ifndef OMITGOOD123 printLine("Calling good()...");124 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_good();125 printLine("Finished good()");126#endif /* OMITGOOD */127#ifndef OMITBAD128 printLine("Calling bad()...");129 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_bad();130 printLine("Finished bad()");131#endif /* OMITBAD */132 return 0;133}134135#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 22 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__malloc_char_loop_17.c3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml4Template File: sources-sink-17.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 17 Control flow: for loops14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__malloc_char_loop_17_bad()24{✓ 25 int i;✓ 26 char * data;✓ 27 data = NULL;✓ 28 for(i = 0; i < 1; i++)29 {30 {✓ 31 char * dataBuffer = (char *)malloc(100*sizeof(char));✓ 32 if (dataBuffer == NULL) {exit(-1);}✓ 33 memset(dataBuffer, 'A', 100-1);✓ 34 dataBuffer[100-1] = '\0';35 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 36 data = dataBuffer - 8;37 }38 }39 {✓ 40 size_t i;✓ 41 char source[100];✓ 42 memset(source, 'C', 100-1); /* fill with 'C's */✓ 43 source[100-1] = '\0'; /* null terminate */44 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 45 for (i = 0; i < 100; i++)46 {✓ 47 data[i] = source[i];❗VULN48 }49 /* Ensure the destination buffer is null terminated */✓ 50 data[100-1] = '\0';✓ 51 printLine(data);52 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location53 * returned by malloc() so can't safely call free() on it */54 }55}5657#endif /* OMITBAD */5859#ifndef OMITGOOD6061/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */62static void goodG2B()63{64 int h;65 char * data;66 data = NULL;67 for(h = 0; h < 1; h++)68 {69 {70 char * dataBuffer = (char *)malloc(100*sizeof(char));71 if (dataBuffer == NULL) {exit(-1);}72 memset(dataBuffer, 'A', 100-1);73 dataBuffer[100-1] = '\0';74 /* FIX: Set data pointer to the allocated memory buffer */75 data = dataBuffer;76 }77 }78 {79 size_t i;80 char source[100];81 memset(source, 'C', 100-1); /* fill with 'C's */82 source[100-1] = '\0'; /* null terminate */83 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */84 for (i = 0; i < 100; i++)85 {86 data[i] = source[i];87 }88 /* Ensure the destination buffer is null terminated */89 data[100-1] = '\0';90 printLine(data);91 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location92 * returned by malloc() so can't safely call free() on it */93 }94}9596void CWE124_Buffer_Underwrite__malloc_char_loop_17_good()97{98 goodG2B();99}100101#endif /* OMITGOOD */102103/* Below is the main(). It is only used when building this testcase on104 * its own for testing or for building a binary to use in testing binary105 * analysis tools. It is not used when compiling all the testcases as one106 * application, which is how source code analysis tools are tested.107 */108109#ifdef INCLUDEMAIN110111int main(int argc, char * argv[])112{113 /* seed randomness */114 srand( (unsigned)time(NULL) );115#ifndef OMITGOOD116 printLine("Calling good()...");117 CWE124_Buffer_Underwrite__malloc_char_loop_17_good();118 printLine("Finished good()");119#endif /* OMITGOOD */120#ifndef OMITBAD121 printLine("Calling bad()...");122 CWE124_Buffer_Underwrite__malloc_char_loop_17_bad();123 printLine("Finished bad()");124#endif /* OMITBAD */125 return 0;126}127128#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__char_declare_memcpy_05.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-05.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are not defined as "const", but are never22 * assigned any other value, so a tool should be able to identify that23 * reads of these will always return their initialized values.24 */25static int staticTrue = 1; /* true */26static int staticFalse = 0; /* false */2728#ifndef OMITBAD2930void CWE127_Buffer_Underread__char_declare_memcpy_05_bad()31{✓ 32 char * data;✓ 33 char dataBuffer[100];✓ 34 memset(dataBuffer, 'A', 100-1);✓ 35 dataBuffer[100-1] = '\0';✓ 36 if(staticTrue)37 {38 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 39 data = dataBuffer - 8;40 }41 {✓ 42 char dest[100];✓ 43 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 44 dest[100-1] = '\0'; /* null terminate */45 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 46 memcpy(dest, data, 100*sizeof(char));❗VULN47 /* Ensure null termination */✓ 48 dest[100-1] = '\0';✓ 49 printLine(dest);50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */58static void goodG2B1()59{60 char * data;61 char dataBuffer[100];62 memset(dataBuffer, 'A', 100-1);63 dataBuffer[100-1] = '\0';64 if(staticFalse)65 {66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */67 printLine("Benign, fixed string");68 }69 else70 {71 /* FIX: Set data pointer to the allocated memory buffer */72 data = dataBuffer;73 }74 {75 char dest[100];76 memset(dest, 'C', 100-1); /* fill with 'C's */77 dest[100-1] = '\0'; /* null terminate */78 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */79 memcpy(dest, data, 100*sizeof(char));80 /* Ensure null termination */81 dest[100-1] = '\0';82 printLine(dest);83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 char * data;90 char dataBuffer[100];91 memset(dataBuffer, 'A', 100-1);92 dataBuffer[100-1] = '\0';93 if(staticTrue)94 {95 /* FIX: Set data pointer to the allocated memory buffer */96 data = dataBuffer;97 }98 {99 char dest[100];100 memset(dest, 'C', 100-1); /* fill with 'C's */101 dest[100-1] = '\0'; /* null terminate */102 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */103 memcpy(dest, data, 100*sizeof(char));104 /* Ensure null termination */105 dest[100-1] = '\0';106 printLine(dest);107 }108}109110void CWE127_Buffer_Underread__char_declare_memcpy_05_good()111{112 goodG2B1();113 goodG2B2();114}115116#endif /* OMITGOOD */117118/* Below is the main(). It is only used when building this testcase on119 * its own for testing or for building a binary to use in testing binary120 * analysis tools. It is not used when compiling all the testcases as one121 * application, which is how source code analysis tools are tested.122 */123124#ifdef INCLUDEMAIN125126int main(int argc, char * argv[])127{128 /* seed randomness */129 srand( (unsigned)time(NULL) );130#ifndef OMITGOOD131 printLine("Calling good()...");132 CWE127_Buffer_Underread__char_declare_memcpy_05_good();133 printLine("Finished good()");134#endif /* OMITGOOD */135#ifndef OMITBAD136 printLine("Calling bad()...");137 CWE127_Buffer_Underread__char_declare_memcpy_05_bad();138 printLine("Finished bad()");139#endif /* OMITBAD */140 return 0;141}142143#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memmove_13.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-13.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memmove_13_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t dataBuffer[100];✓ 27 data = dataBuffer;✓ 28 if(GLOBAL_CONST_FIVE==5)29 {30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 31 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 32 data[100-1] = L'\0'; /* null terminate */33 }34 {✓ 35 wchar_t dest[50] = L"";36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 37 memmove(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN✓ 38 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 39 printWLine(data);40 }41}4243#endif /* OMITBAD */4445#ifndef OMITGOOD4647/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */48static void goodG2B1()49{50 wchar_t * data;51 wchar_t dataBuffer[100];52 data = dataBuffer;53 if(GLOBAL_CONST_FIVE!=5)54 {55 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */56 printLine("Benign, fixed string");57 }58 else59 {60 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */61 wmemset(data, L'A', 50-1); /* fill with L'A's */62 data[50-1] = L'\0'; /* null terminate */63 }64 {65 wchar_t dest[50] = L"";66 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */67 memmove(dest, data, wcslen(data)*sizeof(wchar_t));68 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */69 printWLine(data);70 }71}7273/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */74static void goodG2B2()75{76 wchar_t * data;77 wchar_t dataBuffer[100];78 data = dataBuffer;79 if(GLOBAL_CONST_FIVE==5)80 {81 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */82 wmemset(data, L'A', 50-1); /* fill with L'A's */83 data[50-1] = L'\0'; /* null terminate */84 }85 {86 wchar_t dest[50] = L"";87 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */88 memmove(dest, data, wcslen(data)*sizeof(wchar_t));89 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */90 printWLine(data);91 }92}9394void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memmove_13_good()95{96 goodG2B1();97 goodG2B2();98}99100#endif /* OMITGOOD */101102/* Below is the main(). It is only used when building this testcase on103 * its own for testing or for building a binary to use in testing binary104 * analysis tools. It is not used when compiling all the testcases as one105 * application, which is how source code analysis tools are tested.106 */107108#ifdef INCLUDEMAIN109110int main(int argc, char * argv[])111{112 /* seed randomness */113 srand( (unsigned)time(NULL) );114#ifndef OMITGOOD115 printLine("Calling good()...");116 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memmove_13_good();117 printLine("Finished good()");118#endif /* OMITGOOD */119#ifndef OMITBAD120 printLine("Calling bad()...");121 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memmove_13_bad();122 printLine("Finished bad()");123#endif /* OMITBAD */124 return 0;125}126127#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_ncpy_06.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml4Template File: sources-sink-06.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sink: ncpy12 * BadSink : Copy string to data using wcsncpy()13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING L"AAAAAAAAAA"2526/* The variable below is declared "const", so a tool should be able27 * to identify that reads of this will always give its initialized value. */28static const int STATIC_CONST_FIVE = 5;2930#ifndef OMITBAD3132void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_ncpy_06_bad()33{✓ 34 wchar_t * data;✓ 35 data = NULL;✓ 36 if(STATIC_CONST_FIVE==5)37 {38 /* FLAW: Did not leave space for a null terminator */✓ 39 data = (wchar_t *)malloc(10*sizeof(wchar_t));✓ 40 if (data == NULL) {exit(-1);}41 }42 {✓ 43 wchar_t source[10+1] = SRC_STRING;44 /* Copy length + 1 to include NUL terminator from source */45 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 46 wcsncpy(data, source, wcslen(source) + 1);❗VULN✓ 47 printWLine(data);✓ 48 free(data);49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */57static void goodG2B1()58{59 wchar_t * data;60 data = NULL;61 if(STATIC_CONST_FIVE!=5)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 /* FIX: Allocate space for a null terminator */69 data = (wchar_t *)malloc((10+1)*sizeof(wchar_t));70 if (data == NULL) {exit(-1);}71 }72 {73 wchar_t source[10+1] = SRC_STRING;74 /* Copy length + 1 to include NUL terminator from source */75 /* POTENTIAL FLAW: data may not have enough space to hold source */76 wcsncpy(data, source, wcslen(source) + 1);77 printWLine(data);78 free(data);79 }80}8182/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */83static void goodG2B2()84{85 wchar_t * data;86 data = NULL;87 if(STATIC_CONST_FIVE==5)88 {89 /* FIX: Allocate space for a null terminator */90 data = (wchar_t *)malloc((10+1)*sizeof(wchar_t));91 if (data == NULL) {exit(-1);}92 }93 {94 wchar_t source[10+1] = SRC_STRING;95 /* Copy length + 1 to include NUL terminator from source */96 /* POTENTIAL FLAW: data may not have enough space to hold source */97 wcsncpy(data, source, wcslen(source) + 1);98 printWLine(data);99 free(data);100 }101}102103void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_ncpy_06_good()104{105 goodG2B1();106 goodG2B2();107}108109#endif /* OMITGOOD */110111/* Below is the main(). It is only used when building this testcase on112 * its own for testing or for building a binary to use in testing binary113 * analysis tools. It is not used when compiling all the testcases as one114 * application, which is how source code analysis tools are tested.115 */116117#ifdef INCLUDEMAIN118119int main(int argc, char * argv[])120{121 /* seed randomness */122 srand( (unsigned)time(NULL) );123#ifndef OMITGOOD124 printLine("Calling good()...");125 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_ncpy_06_good();126 printLine("Finished good()");127#endif /* OMITGOOD */128#ifndef OMITBAD129 printLine("Calling bad()...");130 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_ncpy_06_bad();131 printLine("Finished bad()");132#endif /* OMITBAD */133 return 0;134}135136#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 31 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_15.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE129.label.xml4Template File: sources-sinks-15.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: rand Set data to result of rand(), which may be zero10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 15 Control flow: switch(6) and switch(7)15 *16 * */1718#include "std_testcase.h"1920#ifndef OMITBAD2122void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_15_bad()23{✓ 24 int data;25 /* Initialize data */✓ 26 data = -1;✓ 27 switch(6)28 {✓ 29 case 6:30 /* POTENTIAL FLAW: Set data to a random value */✓ 31 data = RAND32();✓ 32 break;✓ 33 default:34 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 35 printLine("Benign, fixed string");✓ 36 break;37 }✓ 38 switch(7)39 {✓ 40 case 7:41 {✓ 42 int i;✓ 43 int * buffer = (int *)malloc(10 * sizeof(int));✓ 44 if (buffer == NULL) {exit(-1);}45 /* initialize buffer */✓ 46 for (i = 0; i < 10; i++)47 {✓ 48 buffer[i] = 0;49 }50 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound51 * This code does check to see if the array index is negative */✓ 52 if (data >= 0)53 {✓ 54 buffer[data] = 1;❗VULN55 /* Print the array values */✓ 56 for(i = 0; i < 10; i++)57 {✓ 58 printIntLine(buffer[i]);59 }60 }61 else62 {✓ 63 printLine("ERROR: Array index is negative.");64 }✓ 65 free(buffer);66 }✓ 67 break;✓ 68 default:69 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 70 printLine("Benign, fixed string");✓ 71 break;72 }73}7475#endif /* OMITBAD */7677#ifndef OMITGOOD7879/* goodB2G1() - use badsource and goodsink by changing the second switch to switch(8) */80static void goodB2G1()81{82 int data;83 /* Initialize data */84 data = -1;85 switch(6)86 {87 case 6:88 /* POTENTIAL FLAW: Set data to a random value */89 data = RAND32();90 break;91 default:92 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */93 printLine("Benign, fixed string");94 break;95 }96 switch(8)97 {98 case 7:99 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */100 printLine("Benign, fixed string");101 break;102 default:103 {104 int i;105 int * buffer = (int *)malloc(10 * sizeof(int));106 if (buffer == NULL) {exit(-1);}107 /* initialize buffer */108 for (i = 0; i < 10; i++)109 {110 buffer[i] = 0;111 }112 /* FIX: Properly validate the array index and prevent a buffer overflow */113 if (data >= 0 && data < (10))114 {115 buffer[data] = 1;116 /* Print the array values */117 for(i = 0; i < 10; i++)118 {119 printIntLine(buffer[i]);120 }121 }122 else123 {124 printLine("ERROR: Array index is out-of-bounds");125 }126 free(buffer);127 }128 break;129 }130}131132/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch */133static void goodB2G2()134{135 int data;136 /* Initialize data */137 data = -1;138 switch(6)139 {140 case 6:141 /* POTENTIAL FLAW: Set data to a random value */142 data = RAND32();143 break;144 default:145 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */146 printLine("Benign, fixed string");147 break;148 }149 switch(7)150 {151 case 7:152 {153 int i;154 int * buffer = (int *)malloc(10 * sizeof(int));155 if (buffer == NULL) {exit(-1);}156 /* initialize buffer */157 for (i = 0; i < 10; i++)158 {159 buffer[i] = 0;160 }161 /* FIX: Properly validate the array index and prevent a buffer overflow */162 if (data >= 0 && data < (10))163 {164 buffer[data] = 1;165 /* Print the array values */166 for(i = 0; i < 10; i++)167 {168 printIntLine(buffer[i]);169 }170 }171 else172 {173 printLine("ERROR: Array index is out-of-bounds");174 }175 free(buffer);176 }177 break;178 default:179 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */180 printLine("Benign, fixed string");181 break;182 }183}184185/* goodG2B1() - use goodsource and badsink by changing the first switch to switch(5) */186static void goodG2B1()187{188 int data;189 /* Initialize data */190 data = -1;191 switch(5)192 {193 case 6:194 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */195 printLine("Benign, fixed string");196 break;197 default:198 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to199 * access an index of the array in the sink that is out-of-bounds */200 data = 7;201 break;202 }203 switch(7)204 {205 case 7:206 {207 int i;208 int * buffer = (int *)malloc(10 * sizeof(int));209 if (buffer == NULL) {exit(-1);}210 /* initialize buffer */211 for (i = 0; i < 10; i++)212 {213 buffer[i] = 0;214 }215 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound216 * This code does check to see if the array index is negative */217 if (data >= 0)218 {219 buffer[data] = 1;220 /* Print the array values */221 for(i = 0; i < 10; i++)222 {223 printIntLine(buffer[i]);224 }225 }226 else227 {228 printLine("ERROR: Array index is negative.");229 }230 free(buffer);231 }232 break;233 default:234 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */235 printLine("Benign, fixed string");236 break;237 }238}239240/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first switch */241static void goodG2B2()242{243 int data;244 /* Initialize data */245 data = -1;246 switch(6)247 {248 case 6:249 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to250 * access an index of the array in the sink that is out-of-bounds */251 data = 7;252 break;253 default:254 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */255 printLine("Benign, fixed string");256 break;257 }258 switch(7)259 {260 case 7:261 {262 int i;263 int * buffer = (int *)malloc(10 * sizeof(int));264 if (buffer == NULL) {exit(-1);}265 /* initialize buffer */266 for (i = 0; i < 10; i++)267 {268 buffer[i] = 0;269 }270 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound271 * This code does check to see if the array index is negative */272 if (data >= 0)273 {274 buffer[data] = 1;275 /* Print the array values */276 for(i = 0; i < 10; i++)277 {278 printIntLine(buffer[i]);279 }280 }281 else282 {283 printLine("ERROR: Array index is negative.");284 }285 free(buffer);286 }287 break;288 default:289 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */290 printLine("Benign, fixed string");291 break;292 }293}294295void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_15_good()296{297 goodB2G1();298 goodB2G2();299 goodG2B1();300 goodG2B2();301}302303#endif /* OMITGOOD */304305/* Below is the main(). It is only used when building this testcase on306 its own for testing or for building a binary to use in testing binary307 analysis tools. It is not used when compiling all the testcases as one308 application, which is how source code analysis tools are tested. */309310#ifdef INCLUDEMAIN311312int main(int argc, char * argv[])313{314 /* seed randomness */315 srand( (unsigned)time(NULL) );316#ifndef OMITGOOD317 printLine("Calling good()...");318 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_15_good();319 printLine("Finished good()");320#endif /* OMITGOOD */321#ifndef OMITBAD322 printLine("Calling bad()...");323 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_15_bad();324 printLine("Finished bad()");325#endif /* OMITBAD */326 return 0;327}328329#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_06.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-06.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: memmove12 * BadSink : Copy string to data using memmove13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is declared "const", so a tool should be able22 to identify that reads of this will always give its initialized23 value. */24static const int STATIC_CONST_FIVE = 5;2526namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_0627{2829#ifndef OMITBAD3031void bad()32{✓ 33 wchar_t * data;✓ 34 data = NULL;✓ 35 if(STATIC_CONST_FIVE==5)36 {37 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 38 data = new wchar_t[50];✓ 39 data[0] = L'\0'; /* null terminate */40 }41 {✓ 42 wchar_t source[100];✓ 43 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 44 source[100-1] = L'\0'; /* null terminate */45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 46 memmove(data, source, 100*sizeof(wchar_t));❗VULN✓ 47 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 48 printWLine(data);✓ 49 delete [] data;50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */58static void goodG2B1()59{60 wchar_t * data;61 data = NULL;62 if(STATIC_CONST_FIVE!=5)63 {64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */65 printLine("Benign, fixed string");66 }67 else68 {69 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */70 data = new wchar_t[100];71 data[0] = L'\0'; /* null terminate */72 }73 {74 wchar_t source[100];75 wmemset(source, L'C', 100-1); /* fill with L'C's */76 source[100-1] = L'\0'; /* null terminate */77 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */78 memmove(data, source, 100*sizeof(wchar_t));79 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */80 printWLine(data);81 delete [] data;82 }83}8485/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */86static void goodG2B2()87{88 wchar_t * data;89 data = NULL;90 if(STATIC_CONST_FIVE==5)91 {92 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */93 data = new wchar_t[100];94 data[0] = L'\0'; /* null terminate */95 }96 {97 wchar_t source[100];98 wmemset(source, L'C', 100-1); /* fill with L'C's */99 source[100-1] = L'\0'; /* null terminate */100 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */101 memmove(data, source, 100*sizeof(wchar_t));102 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */103 printWLine(data);104 delete [] data;105 }106}107108void good()109{110 goodG2B1();111 goodG2B2();112}113114#endif /* OMITGOOD */115116} /* close namespace */117118/* Below is the main(). It is only used when building this testcase on119 its own for testing or for building a binary to use in testing binary120 analysis tools. It is not used when compiling all the testcases as one121 application, which is how source code analysis tools are tested. */122123#ifdef INCLUDEMAIN124125using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_06; /* so that we can use good and bad easily */126127int main(int argc, char * argv[])128{129 /* seed randomness */130 srand( (unsigned)time(NULL) );131#ifndef OMITGOOD132 printLine("Calling good()...");133 good();134 printLine("Finished good()");135#endif /* OMITGOOD */136#ifndef OMITBAD137 printLine("Calling bad()...");138 bad();139 printLine("Finished bad()");140#endif /* OMITBAD */141 return 0;142}143144#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_10.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-10.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: ncat12 * BadSink : Copy string to data using wcsncat13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_1022{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 data = NULL;✓ 30 if(globalTrue)31 {32 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 33 data = new wchar_t[50];✓ 34 data[0] = L'\0'; /* null terminate */35 }36 {✓ 37 wchar_t source[100];✓ 38 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 39 source[100-1] = L'\0'; /* null terminate */40 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */✓ 41 wcsncat(data, source, 100);❗VULN✓ 42 printWLine(data);✓ 43 delete [] data;44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */52static void goodG2B1()53{54 wchar_t * data;55 data = NULL;56 if(globalFalse)57 {58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */59 printLine("Benign, fixed string");60 }61 else62 {63 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */64 data = new wchar_t[100];65 data[0] = L'\0'; /* null terminate */66 }67 {68 wchar_t source[100];69 wmemset(source, L'C', 100-1); /* fill with L'C's */70 source[100-1] = L'\0'; /* null terminate */71 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */72 wcsncat(data, source, 100);73 printWLine(data);74 delete [] data;75 }76}7778/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */79static void goodG2B2()80{81 wchar_t * data;82 data = NULL;83 if(globalTrue)84 {85 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */86 data = new wchar_t[100];87 data[0] = L'\0'; /* null terminate */88 }89 {90 wchar_t source[100];91 wmemset(source, L'C', 100-1); /* fill with L'C's */92 source[100-1] = L'\0'; /* null terminate */93 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */94 wcsncat(data, source, 100);95 printWLine(data);96 delete [] data;97 }98}99100void good()101{102 goodG2B1();103 goodG2B2();104}105106#endif /* OMITGOOD */107108} /* close namespace */109110/* Below is the main(). It is only used when building this testcase on111 its own for testing or for building a binary to use in testing binary112 analysis tools. It is not used when compiling all the testcases as one113 application, which is how source code analysis tools are tested. */114115#ifdef INCLUDEMAIN116117using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_10; /* so that we can use good and bad easily */118119int main(int argc, char * argv[])120{121 /* seed randomness */122 srand( (unsigned)time(NULL) );123#ifndef OMITGOOD124 printLine("Calling good()...");125 good();126 printLine("Finished good()");127#endif /* OMITGOOD */128#ifndef OMITBAD129 printLine("Calling bad()...");130 bad();131 printLine("Finished bad()");132#endif /* OMITBAD */133 return 0;134}135136#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__char_alloca_memcpy_06.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-06.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is declared "const", so a tool should be able22 * to identify that reads of this will always give its initialized value. */23static const int STATIC_CONST_FIVE = 5;2425#ifndef OMITBAD2627void CWE127_Buffer_Underread__char_alloca_memcpy_06_bad()28{✓ 29 char * data;✓ 30 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));✓ 31 memset(dataBuffer, 'A', 100-1);✓ 32 dataBuffer[100-1] = '\0';✓ 33 if(STATIC_CONST_FIVE==5)34 {35 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 36 data = dataBuffer - 8;37 }38 {✓ 39 char dest[100];✓ 40 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 41 dest[100-1] = '\0'; /* null terminate */42 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 43 memcpy(dest, data, 100*sizeof(char));❗VULN44 /* Ensure null termination */✓ 45 dest[100-1] = '\0';✓ 46 printLine(dest);47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */55static void goodG2B1()56{57 char * data;58 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));59 memset(dataBuffer, 'A', 100-1);60 dataBuffer[100-1] = '\0';61 if(STATIC_CONST_FIVE!=5)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 /* FIX: Set data pointer to the allocated memory buffer */69 data = dataBuffer;70 }71 {72 char dest[100];73 memset(dest, 'C', 100-1); /* fill with 'C's */74 dest[100-1] = '\0'; /* null terminate */75 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */76 memcpy(dest, data, 100*sizeof(char));77 /* Ensure null termination */78 dest[100-1] = '\0';79 printLine(dest);80 }81}8283/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */84static void goodG2B2()85{86 char * data;87 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));88 memset(dataBuffer, 'A', 100-1);89 dataBuffer[100-1] = '\0';90 if(STATIC_CONST_FIVE==5)91 {92 /* FIX: Set data pointer to the allocated memory buffer */93 data = dataBuffer;94 }95 {96 char dest[100];97 memset(dest, 'C', 100-1); /* fill with 'C's */98 dest[100-1] = '\0'; /* null terminate */99 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */100 memcpy(dest, data, 100*sizeof(char));101 /* Ensure null termination */102 dest[100-1] = '\0';103 printLine(dest);104 }105}106107void CWE127_Buffer_Underread__char_alloca_memcpy_06_good()108{109 goodG2B1();110 goodG2B2();111}112113#endif /* OMITGOOD */114115/* Below is the main(). It is only used when building this testcase on116 * its own for testing or for building a binary to use in testing binary117 * analysis tools. It is not used when compiling all the testcases as one118 * application, which is how source code analysis tools are tested.119 */120121#ifdef INCLUDEMAIN122123int main(int argc, char * argv[])124{125 /* seed randomness */126 srand( (unsigned)time(NULL) );127#ifndef OMITGOOD128 printLine("Calling good()...");129 CWE127_Buffer_Underread__char_alloca_memcpy_06_good();130 printLine("Finished good()");131#endif /* OMITGOOD */132#ifndef OMITBAD133 printLine("Calling bad()...");134 CWE127_Buffer_Underread__char_alloca_memcpy_06_bad();135 printLine("Finished bad()");136#endif /* OMITBAD */137 return 0;138}139140#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 19 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61a.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE129.label.xml4Template File: sources-sinks-61a.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: fgets Read data from the console using fgets()10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 61 Data flow: data returned from one function to another in different source files15 *16 * */1718#include "std_testcase.h"1920#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)2122#ifndef OMITBAD2324/* bad function declaration */25int CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61b_badSource(int data);2627void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61_bad()28{✓ 29 int data;30 /* Initialize data */✓ 31 data = -1;✓ 32 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61b_badSource(data);33 {✓ 34 int i;✓ 35 int * buffer = (int *)malloc(10 * sizeof(int));✓ 36 if (buffer == NULL) {exit(-1);}37 /* initialize buffer */✓ 38 for (i = 0; i < 10; i++)39 {✓ 40 buffer[i] = 0;41 }42 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound43 * This code does check to see if the array index is negative */✓ 44 if (data >= 0)45 {✓ 46 buffer[data] = 1;❗VULN47 /* Print the array values */✓ 48 for(i = 0; i < 10; i++)49 {✓ 50 printIntLine(buffer[i]);51 }52 }53 else54 {✓ 55 printLine("ERROR: Array index is negative.");56 }✓ 57 free(buffer);58 }59}6061#endif /* OMITBAD */6263#ifndef OMITGOOD6465/* goodG2B uses the GoodSource with the BadSink */66int CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61b_goodG2BSource(int data);6768static void goodG2B()69{70 int data;71 /* Initialize data */72 data = -1;73 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61b_goodG2BSource(data);74 {75 int i;76 int * buffer = (int *)malloc(10 * sizeof(int));77 if (buffer == NULL) {exit(-1);}78 /* initialize buffer */79 for (i = 0; i < 10; i++)80 {81 buffer[i] = 0;82 }83 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound84 * This code does check to see if the array index is negative */85 if (data >= 0)86 {87 buffer[data] = 1;88 /* Print the array values */89 for(i = 0; i < 10; i++)90 {91 printIntLine(buffer[i]);92 }93 }94 else95 {96 printLine("ERROR: Array index is negative.");97 }98 free(buffer);99 }100}101102/* goodB2G uses the BadSource with the GoodSink */103int CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61b_goodB2GSource(int data);104105static void goodB2G()106{107 int data;108 /* Initialize data */109 data = -1;110 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61b_goodB2GSource(data);111 {112 int i;113 int * buffer = (int *)malloc(10 * sizeof(int));114 if (buffer == NULL) {exit(-1);}115 /* initialize buffer */116 for (i = 0; i < 10; i++)117 {118 buffer[i] = 0;119 }120 /* FIX: Properly validate the array index and prevent a buffer overflow */121 if (data >= 0 && data < (10))122 {123 buffer[data] = 1;124 /* Print the array values */125 for(i = 0; i < 10; i++)126 {127 printIntLine(buffer[i]);128 }129 }130 else131 {132 printLine("ERROR: Array index is out-of-bounds");133 }134 free(buffer);135 }136}137138void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61_good()139{140 goodG2B();141 goodB2G();142}143144#endif /* OMITGOOD */145146/* Below is the main(). It is only used when building this testcase on147 its own for testing or for building a binary to use in testing binary148 analysis tools. It is not used when compiling all the testcases as one149 application, which is how source code analysis tools are tested. */150151#ifdef INCLUDEMAIN152153int main(int argc, char * argv[])154{155 /* seed randomness */156 srand( (unsigned)time(NULL) );157#ifndef OMITGOOD158 printLine("Calling good()...");159 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61_good();160 printLine("Finished good()");161#endif /* OMITGOOD */162#ifndef OMITBAD163 printLine("Calling bad()...");164 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61_bad();165 printLine("Finished bad()");166#endif /* OMITBAD */167 return 0;168}169170#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 19 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_18.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-18.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: loop12 * BadSink : Copy twoIntsStruct array to data using a loop13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_18_bad()22{✓ 23 twoIntsStruct * data;✓ 24 twoIntsStruct dataBadBuffer[50];✓ 25 twoIntsStruct dataGoodBuffer[100];✓ 26 goto source;✓ 27source:28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination29 * buffer in various memory copying functions using a "large" source buffer. */✓ 30 data = dataBadBuffer;31 {✓ 32 twoIntsStruct source[100];33 {✓ 34 size_t i;35 /* Initialize array */✓ 36 for (i = 0; i < 100; i++)37 {✓ 38 source[i].intOne = 0;✓ 39 source[i].intTwo = 0;40 }41 }42 {✓ 43 size_t i;44 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 45 for (i = 0; i < 100; i++)46 {✓ 47 data[i] = source[i];❗VULN48 }✓ 49 printStructLine(&data[0]);50 }51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */59static void goodG2B()60{61 twoIntsStruct * data;62 twoIntsStruct dataBadBuffer[50];63 twoIntsStruct dataGoodBuffer[100];64 goto source;65source:66 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */67 data = dataGoodBuffer;68 {69 twoIntsStruct source[100];70 {71 size_t i;72 /* Initialize array */73 for (i = 0; i < 100; i++)74 {75 source[i].intOne = 0;76 source[i].intTwo = 0;77 }78 }79 {80 size_t i;81 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */82 for (i = 0; i < 100; i++)83 {84 data[i] = source[i];85 }86 printStructLine(&data[0]);87 }88 }89}9091void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_18_good()92{93 goodG2B();94}9596#endif /* OMITGOOD */9798/* Below is the main(). It is only used when building this testcase on99 * its own for testing or for building a binary to use in testing binary100 * analysis tools. It is not used when compiling all the testcases as one101 * application, which is how source code analysis tools are tested.102 */103104#ifdef INCLUDEMAIN105106int main(int argc, char * argv[])107{108 /* seed randomness */109 srand( (unsigned)time(NULL) );110#ifndef OMITGOOD111 printLine("Calling good()...");112 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_18_good();113 printLine("Finished good()");114#endif /* OMITGOOD */115#ifndef OMITBAD116 printLine("Calling bad()...");117 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_18_bad();118 printLine("Finished bad()");119#endif /* OMITBAD */120 return 0;121}122123#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memmove_18.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-18.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: memmove12 * BadSink : Copy string to data using memmove13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memmove_18_bad()24{✓ 25 char * data;✓ 26 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));✓ 27 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));✓ 28 goto source;✓ 29source:30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination31 * buffer in various memory copying functions using a "large" source buffer. */✓ 32 data = dataBadBuffer;✓ 33 data[0] = '\0'; /* null terminate */34 {✓ 35 char source[100];✓ 36 memset(source, 'C', 100-1); /* fill with 'C's */✓ 37 source[100-1] = '\0'; /* null terminate */38 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 39 memmove(data, source, 100*sizeof(char));❗VULN✓ 40 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 41 printLine(data);42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */50static void goodG2B()51{52 char * data;53 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));54 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));55 goto source;56source:57 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */58 data = dataGoodBuffer;59 data[0] = '\0'; /* null terminate */60 {61 char source[100];62 memset(source, 'C', 100-1); /* fill with 'C's */63 source[100-1] = '\0'; /* null terminate */64 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */65 memmove(data, source, 100*sizeof(char));66 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */67 printLine(data);68 }69}7071void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memmove_18_good()72{73 goodG2B();74}7576#endif /* OMITGOOD */7778/* Below is the main(). It is only used when building this testcase on79 * its own for testing or for building a binary to use in testing binary80 * analysis tools. It is not used when compiling all the testcases as one81 * application, which is how source code analysis tools are tested.82 */8384#ifdef INCLUDEMAIN8586int main(int argc, char * argv[])87{88 /* seed randomness */89 srand( (unsigned)time(NULL) );90#ifndef OMITGOOD91 printLine("Calling good()...");92 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memmove_18_good();93 printLine("Finished good()");94#endif /* OMITGOOD */95#ifndef OMITBAD96 printLine("Calling bad()...");97 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memmove_18_bad();98 printLine("Finished bad()");99#endif /* OMITBAD */100 return 0;101}102103#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_alloca_memmove_17.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-17.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: memmove12 * BadSink : Copy int64_t array to data using memmove13 * Flow Variant: 17 Control flow: for loops14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_alloca_memmove_17_bad()22{✓ 23 int i;✓ 24 int64_t * data;✓ 25 int64_t * dataBadBuffer = (int64_t *)ALLOCA(50*sizeof(int64_t));✓ 26 int64_t * dataGoodBuffer = (int64_t *)ALLOCA(100*sizeof(int64_t));✓ 27 for(i = 0; i < 1; i++)28 {29 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination30 * buffer in various memory copying functions using a "large" source buffer. */✓ 31 data = dataBadBuffer;32 }33 {✓ 34 int64_t source[100] = {0}; /* fill with 0's */35 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 36 memmove(data, source, 100*sizeof(int64_t));❗VULN✓ 37 printLongLongLine(data[0]);38 }39}4041#endif /* OMITBAD */4243#ifndef OMITGOOD4445/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */46static void goodG2B()47{48 int h;49 int64_t * data;50 int64_t * dataBadBuffer = (int64_t *)ALLOCA(50*sizeof(int64_t));51 int64_t * dataGoodBuffer = (int64_t *)ALLOCA(100*sizeof(int64_t));52 for(h = 0; h < 1; h++)53 {54 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */55 data = dataGoodBuffer;56 }57 {58 int64_t source[100] = {0}; /* fill with 0's */59 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */60 memmove(data, source, 100*sizeof(int64_t));61 printLongLongLine(data[0]);62 }63}6465void CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_alloca_memmove_17_good()66{67 goodG2B();68}6970#endif /* OMITGOOD */7172/* Below is the main(). It is only used when building this testcase on73 * its own for testing or for building a binary to use in testing binary74 * analysis tools. It is not used when compiling all the testcases as one75 * application, which is how source code analysis tools are tested.76 */7778#ifdef INCLUDEMAIN7980int main(int argc, char * argv[])81{82 /* seed randomness */83 srand( (unsigned)time(NULL) );84#ifndef OMITGOOD85 printLine("Calling good()...");86 CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_alloca_memmove_17_good();87 printLine("Finished good()");88#endif /* OMITGOOD */89#ifndef OMITBAD90 printLine("Calling bad()...");91 CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_alloca_memmove_17_bad();92 printLine("Finished bad()");93#endif /* OMITBAD */94 return 0;95}9697#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__char_declare_loop_02.c3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml4Template File: sources-sink-02.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 02 Control flow: if(1) and if(0)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__char_declare_loop_02_bad()24{✓ 25 char * data;✓ 26 char dataBuffer[100];✓ 27 memset(dataBuffer, 'A', 100-1);✓ 28 dataBuffer[100-1] = '\0';✓ 29 if(1)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;33 }34 {✓ 35 size_t i;✓ 36 char source[100];✓ 37 memset(source, 'C', 100-1); /* fill with 'C's */✓ 38 source[100-1] = '\0'; /* null terminate */39 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 40 for (i = 0; i < 100; i++)41 {✓ 42 data[i] = source[i];❗VULN43 }44 /* Ensure the destination buffer is null terminated */✓ 45 data[100-1] = '\0';✓ 46 printLine(data);47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */55static void goodG2B1()56{57 char * data;58 char dataBuffer[100];59 memset(dataBuffer, 'A', 100-1);60 dataBuffer[100-1] = '\0';61 if(0)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 /* FIX: Set data pointer to the allocated memory buffer */69 data = dataBuffer;70 }71 {72 size_t i;73 char source[100];74 memset(source, 'C', 100-1); /* fill with 'C's */75 source[100-1] = '\0'; /* null terminate */76 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */77 for (i = 0; i < 100; i++)78 {79 data[i] = source[i];80 }81 /* Ensure the destination buffer is null terminated */82 data[100-1] = '\0';83 printLine(data);84 }85}8687/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */88static void goodG2B2()89{90 char * data;91 char dataBuffer[100];92 memset(dataBuffer, 'A', 100-1);93 dataBuffer[100-1] = '\0';94 if(1)95 {96 /* FIX: Set data pointer to the allocated memory buffer */97 data = dataBuffer;98 }99 {100 size_t i;101 char source[100];102 memset(source, 'C', 100-1); /* fill with 'C's */103 source[100-1] = '\0'; /* null terminate */104 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */105 for (i = 0; i < 100; i++)106 {107 data[i] = source[i];108 }109 /* Ensure the destination buffer is null terminated */110 data[100-1] = '\0';111 printLine(data);112 }113}114115void CWE124_Buffer_Underwrite__char_declare_loop_02_good()116{117 goodG2B1();118 goodG2B2();119}120121#endif /* OMITGOOD */122123/* Below is the main(). It is only used when building this testcase on124 * its own for testing or for building a binary to use in testing binary125 * analysis tools. It is not used when compiling all the testcases as one126 * application, which is how source code analysis tools are tested.127 */128129#ifdef INCLUDEMAIN130131int main(int argc, char * argv[])132{133 /* seed randomness */134 srand( (unsigned)time(NULL) );135#ifndef OMITGOOD136 printLine("Calling good()...");137 CWE124_Buffer_Underwrite__char_declare_loop_02_good();138 printLine("Finished good()");139#endif /* OMITGOOD */140#ifndef OMITBAD141 printLine("Calling bad()...");142 CWE124_Buffer_Underwrite__char_declare_loop_02_bad();143 printLine("Finished bad()");144#endif /* OMITBAD */145 return 0;146}147148#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_16.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml4Template File: sources-sink-16.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 16 Control flow: while(1)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_1622{2324#ifndef OMITBAD2526void bad()27{✓ 28 char * data;✓ 29 data = new char[100];✓ 30 while(1)31 {32 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 33 memset(data, 'A', 100-1); /* fill with 'A's */✓ 34 data[100-1] = '\0'; /* null terminate */✓ 35 break;36 }37 {✓ 38 char dest[50] = "";39 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 40 memcpy(dest, data, strlen(data)*sizeof(char));❗VULN✓ 41 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 42 printLine(data);✓ 43 delete [] data;44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */52static void goodG2B()53{54 char * data;55 data = new char[100];56 while(1)57 {58 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */59 memset(data, 'A', 50-1); /* fill with 'A's */60 data[50-1] = '\0'; /* null terminate */61 break;62 }63 {64 char dest[50] = "";65 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */66 memcpy(dest, data, strlen(data)*sizeof(char));67 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */68 printLine(data);69 delete [] data;70 }71}7273void good()74{75 goodG2B();76}7778#endif /* OMITGOOD */7980} /* close namespace */8182/* Below is the main(). It is only used when building this testcase on83 its own for testing or for building a binary to use in testing binary84 analysis tools. It is not used when compiling all the testcases as one85 application, which is how source code analysis tools are tested. */8687#ifdef INCLUDEMAIN8889using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_16; /* so that we can use good and bad easily */9091int main(int argc, char * argv[])92{93 /* seed randomness */94 srand( (unsigned)time(NULL) );95#ifndef OMITGOOD96 printLine("Calling good()...");97 good();98 printLine("Finished good()");99#endif /* OMITGOOD */100#ifndef OMITBAD101 printLine("Calling bad()...");102 bad();103 printLine("Finished bad()");104#endif /* OMITBAD */105 return 0;106}107108#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_12.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.label.xml4Template File: sources-sink-12.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: memcpy12 * BadSink : Copy int64_t array to data using memcpy13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())14 *15 * */1617#include "std_testcase.h"1819namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_1220{2122#ifndef OMITBAD2324void bad()25{✓ 26 int64_t * data;✓ 27 data = NULL;✓ 28 if(globalReturnsTrueOrFalse())29 {30 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 31 data = new int64_t[50];32 }33 else34 {35 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */✓ 36 data = new int64_t[100];37 }38 {✓ 39 int64_t source[100] = {0}; /* fill with 0's */40 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 41 memcpy(data, source, 100*sizeof(int64_t));❗VULN✓ 42 printLongLongLine(data[0]);✓ 43 delete [] data;44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B() - use goodsource and badsink by changing the "if" so that52 both branches use the GoodSource */53static void goodG2B()54{55 int64_t * data;56 data = NULL;57 if(globalReturnsTrueOrFalse())58 {59 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */60 data = new int64_t[100];61 }62 else63 {64 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */65 data = new int64_t[100];66 }67 {68 int64_t source[100] = {0}; /* fill with 0's */69 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */70 memcpy(data, source, 100*sizeof(int64_t));71 printLongLongLine(data[0]);72 delete [] data;73 }74}7576void good()77{78 goodG2B();79}8081#endif /* OMITGOOD */8283} /* close namespace */8485/* Below is the main(). It is only used when building this testcase on86 its own for testing or for building a binary to use in testing binary87 analysis tools. It is not used when compiling all the testcases as one88 application, which is how source code analysis tools are tested. */8990#ifdef INCLUDEMAIN9192using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_12; /* so that we can use good and bad easily */9394int main(int argc, char * argv[])95{96 /* seed randomness */97 srand( (unsigned)time(NULL) );98#ifndef OMITGOOD99 printLine("Calling good()...");100 good();101 printLine("Finished good()");102#endif /* OMITGOOD */103#ifndef OMITBAD104 printLine("Calling bad()...");105 bad();106 printLine("Finished bad()");107#endif /* OMITBAD */108 return 0;109}110111#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_04.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml4Template File: sources-sink-04.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory without using sizeof(int)10 * GoodSource: Allocate memory using sizeof(int)11 * Sink: memmove12 * BadSink : Copy array to data using memmove()13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819/* The two variables below are declared "const", so a tool should20 * be able to identify that reads of these will always return their21 * initialized values.22 */23static const int STATIC_CONST_TRUE = 1; /* true */24static const int STATIC_CONST_FALSE = 0; /* false */2526#ifndef OMITBAD2728void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_04_bad()29{✓ 30 int * data;✓ 31 data = NULL;✓ 32 if(STATIC_CONST_TRUE)33 {34 /* FLAW: Allocate memory without using sizeof(int) */✓ 35 data = (int *)malloc(10);✓ 36 if (data == NULL) {exit(-1);}37 }38 {✓ 39 int source[10] = {0};40 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */✓ 41 memmove(data, source, 10*sizeof(int));❗VULN✓ 42 printIntLine(data[0]);✓ 43 free(data);44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */52static void goodG2B1()53{54 int * data;55 data = NULL;56 if(STATIC_CONST_FALSE)57 {58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */59 printLine("Benign, fixed string");60 }61 else62 {63 /* FIX: Allocate memory using sizeof(int) */64 data = (int *)malloc(10*sizeof(int));65 if (data == NULL) {exit(-1);}66 }67 {68 int source[10] = {0};69 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */70 memmove(data, source, 10*sizeof(int));71 printIntLine(data[0]);72 free(data);73 }74}7576/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */77static void goodG2B2()78{79 int * data;80 data = NULL;81 if(STATIC_CONST_TRUE)82 {83 /* FIX: Allocate memory using sizeof(int) */84 data = (int *)malloc(10*sizeof(int));85 if (data == NULL) {exit(-1);}86 }87 {88 int source[10] = {0};89 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */90 memmove(data, source, 10*sizeof(int));91 printIntLine(data[0]);92 free(data);93 }94}9596void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_04_good()97{98 goodG2B1();99 goodG2B2();100}101102#endif /* OMITGOOD */103104/* Below is the main(). It is only used when building this testcase on105 * its own for testing or for building a binary to use in testing binary106 * analysis tools. It is not used when compiling all the testcases as one107 * application, which is how source code analysis tools are tested.108 */109110#ifdef INCLUDEMAIN111112int main(int argc, char * argv[])113{114 /* seed randomness */115 srand( (unsigned)time(NULL) );116#ifndef OMITGOOD117 printLine("Calling good()...");118 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_04_good();119 printLine("Finished good()");120#endif /* OMITGOOD */121#ifndef OMITBAD122 printLine("Calling bad()...");123 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_04_bad();124 printLine("Finished bad()");125#endif /* OMITBAD */126 return 0;127}128129#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 6 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_68b.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml4Template File: sources-sink-68b.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: ncpy12 * BadSink : Copy data to string using strncpy13 * Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different source files14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021extern char * CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_68_badData;22extern char * CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_68_goodG2BData;2324namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_6825{2627/* all the sinks are the same, we just want to know where the hit originated if a tool flags one */2829#ifndef OMITBAD3031void badSink()32{✓ 33 char * data = CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_68_badData;34 {✓ 35 char dest[50] = "";36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 37 strncpy(dest, data, strlen(data));❗VULN✓ 38 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 39 printLine(data);✓ 40 delete [] data;41 }42}4344#endif /* OMITBAD */4546#ifndef OMITGOOD4748/* goodG2B uses the GoodSource with the BadSink */49void goodG2BSink()50{51 char * data = CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_68_goodG2BData;52 {53 char dest[50] = "";54 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */55 strncpy(dest, data, strlen(data));56 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */57 printLine(data);58 delete [] data;59 }60}6162#endif /* OMITGOOD */6364} /* close namespace */
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_33.cpp3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-33.tmpl.cpp5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sinks: memmove12 * BadSink : Copy twoIntsStruct array to data using memmove13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function14 *15 * */1617#include "std_testcase.h"1819namespace CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_3320{2122#ifndef OMITBAD2324void bad()25{✓ 26 twoIntsStruct * data;✓ 27 twoIntsStruct * &dataRef = data;✓ 28 twoIntsStruct dataBadBuffer[50];✓ 29 twoIntsStruct dataGoodBuffer[100];30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination31 * buffer in various memory copying functions using a "large" source buffer. */✓ 32 data = dataBadBuffer;33 {✓ 34 twoIntsStruct * data = dataRef;35 {✓ 36 twoIntsStruct source[100];37 {✓ 38 size_t i;39 /* Initialize array */✓ 40 for (i = 0; i < 100; i++)41 {✓ 42 source[i].intOne = 0;✓ 43 source[i].intTwo = 0;44 }45 }46 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 47 memmove(data, source, 100*sizeof(twoIntsStruct));❗VULN✓ 48 printStructLine(&data[0]);49 }50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B() uses the GoodSource with the BadSink */58static void goodG2B()59{60 twoIntsStruct * data;61 twoIntsStruct * &dataRef = data;62 twoIntsStruct dataBadBuffer[50];63 twoIntsStruct dataGoodBuffer[100];64 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */65 data = dataGoodBuffer;66 {67 twoIntsStruct * data = dataRef;68 {69 twoIntsStruct source[100];70 {71 size_t i;72 /* Initialize array */73 for (i = 0; i < 100; i++)74 {75 source[i].intOne = 0;76 source[i].intTwo = 0;77 }78 }79 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */80 memmove(data, source, 100*sizeof(twoIntsStruct));81 printStructLine(&data[0]);82 }83 }84}8586void good()87{88 goodG2B();89}9091#endif /* OMITGOOD */9293} /* close namespace */9495/* Below is the main(). It is only used when building this testcase on96 * its own for testing or for building a binary to use in testing binary97 * analysis tools. It is not used when compiling all the testcases as one98 * application, which is how source code analysis tools are tested.99 */100#ifdef INCLUDEMAIN101102using namespace CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_33; /* so that we can use good and bad easily */103104int main(int argc, char * argv[])105{106 /* seed randomness */107 srand( (unsigned)time(NULL) );108#ifndef OMITGOOD109 printLine("Calling good()...");110 good();111 printLine("Finished good()");112#endif /* OMITGOOD */113#ifndef OMITBAD114 printLine("Calling bad()...");115 bad();116 printLine("Finished bad()");117#endif /* OMITBAD */118 return 0;119}120121#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 27 | Sink Nodes: 2 predicted, 2 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE135_15.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE135.label.xml4Template File: sources-sinks-15.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Void pointer to a wchar_t array10 * GoodSource: Void pointer to a char array11 * Sinks:12 * GoodSink: Allocate memory using wcslen() and copy data13 * BadSink : Allocate memory using strlen() and copy data14 * Flow Variant: 15 Control flow: switch(6) and switch(7)15 *16 * */1718#include "std_testcase.h"1920#include <wchar.h>2122#ifndef OMITBAD2324void CWE122_Heap_Based_Buffer_Overflow__CWE135_15_bad()25{✓ 26 void * data;✓ 27 data = NULL;✓ 28 switch(6)29 {✓ 30 case 6:31 {✓ 32 wchar_t * dataBadBuffer = (wchar_t *)malloc(50*sizeof(wchar_t));✓ 33 if (dataBadBuffer == NULL) {exit(-1);}✓ 34 wmemset(dataBadBuffer, L'A', 50-1);✓ 35 dataBadBuffer[50-1] = L'\0';36 /* POTENTIAL FLAW: Set data to point to a wide string */✓ 37 data = (void *)dataBadBuffer;38 }✓ 39 break;✓ 40 default:41 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 42 printLine("Benign, fixed string");✓ 43 break;44 }✓ 45 switch(7)46 {✓ 47 case 7:48 {49 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */✓ 50 size_t dataLen = strlen((char *)data);❗VULN✓ 51 void * dest = (void *)calloc(dataLen+1, sizeof(wchar_t));✓ 52 if (dest == NULL) {exit(-1);}✓ 53 (void)wcscpy(dest, data);❗VULN✓ 54 printLine((char *)dest);✓ 55 free(dest);56 }✓ 57 break;✓ 58 default:59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 60 printLine("Benign, fixed string");✓ 61 break;62 }63}6465#endif /* OMITBAD */6667#ifndef OMITGOOD6869/* goodB2G1() - use badsource and goodsink by changing the second switch to switch(8) */70static void goodB2G1()71{72 void * data;73 data = NULL;74 switch(6)75 {76 case 6:77 {78 wchar_t * dataBadBuffer = (wchar_t *)malloc(50*sizeof(wchar_t));79 if (dataBadBuffer == NULL) {exit(-1);}80 wmemset(dataBadBuffer, L'A', 50-1);81 dataBadBuffer[50-1] = L'\0';82 /* POTENTIAL FLAW: Set data to point to a wide string */83 data = (void *)dataBadBuffer;84 }85 break;86 default:87 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */88 printLine("Benign, fixed string");89 break;90 }91 switch(8)92 {93 case 7:94 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */95 printLine("Benign, fixed string");96 break;97 default:98 {99 /* FIX: treating pointer like a wchar_t* */100 size_t dataLen = wcslen((wchar_t *)data);101 void * dest = (void *)calloc(dataLen+1, sizeof(wchar_t));102 if (dest == NULL) {exit(-1);}103 (void)wcscpy(dest, data);104 printWLine((wchar_t *)dest);105 free(dest);106 }107 break;108 }109}110111/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch */112static void goodB2G2()113{114 void * data;115 data = NULL;116 switch(6)117 {118 case 6:119 {120 wchar_t * dataBadBuffer = (wchar_t *)malloc(50*sizeof(wchar_t));121 if (dataBadBuffer == NULL) {exit(-1);}122 wmemset(dataBadBuffer, L'A', 50-1);123 dataBadBuffer[50-1] = L'\0';124 /* POTENTIAL FLAW: Set data to point to a wide string */125 data = (void *)dataBadBuffer;126 }127 break;128 default:129 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */130 printLine("Benign, fixed string");131 break;132 }133 switch(7)134 {135 case 7:136 {137 /* FIX: treating pointer like a wchar_t* */138 size_t dataLen = wcslen((wchar_t *)data);139 void * dest = (void *)calloc(dataLen+1, sizeof(wchar_t));140 if (dest == NULL) {exit(-1);}141 (void)wcscpy(dest, data);142 printWLine((wchar_t *)dest);143 free(dest);144 }145 break;146 default:147 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */148 printLine("Benign, fixed string");149 break;150 }151}152153/* goodG2B1() - use goodsource and badsink by changing the first switch to switch(5) */154static void goodG2B1()155{156 void * data;157 data = NULL;158 switch(5)159 {160 case 6:161 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */162 printLine("Benign, fixed string");163 break;164 default:165 {166 char * dataGoodBuffer = (char *)malloc(50*sizeof(char));167 if (dataGoodBuffer == NULL) {exit(-1);}168 memset(dataGoodBuffer, 'A', 50-1);169 dataGoodBuffer[50-1] = '\0';170 /* FIX: Set data to point to a char string */171 data = (void *)dataGoodBuffer;172 }173 break;174 }175 switch(7)176 {177 case 7:178 {179 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */180 size_t dataLen = strlen((char *)data);181 void * dest = (void *)calloc(dataLen+1, 1);182 if (dest == NULL) {exit(-1);}183 (void)strcpy(dest, data);184 printLine((char *)dest);185 free(dest);186 }187 break;188 default:189 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */190 printLine("Benign, fixed string");191 break;192 }193}194195/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first switch */196static void goodG2B2()197{198 void * data;199 data = NULL;200 switch(6)201 {202 case 6:203 {204 char * dataGoodBuffer = (char *)malloc(50*sizeof(char));205 if (dataGoodBuffer == NULL) {exit(-1);}206 memset(dataGoodBuffer, 'A', 50-1);207 dataGoodBuffer[50-1] = '\0';208 /* FIX: Set data to point to a char string */209 data = (void *)dataGoodBuffer;210 }211 break;212 default:213 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */214 printLine("Benign, fixed string");215 break;216 }217 switch(7)218 {219 case 7:220 {221 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */222 size_t dataLen = strlen((char *)data);223 void * dest = (void *)calloc(dataLen+1, 1);224 if (dest == NULL) {exit(-1);}225 (void)strcpy(dest, data);226 printLine((char *)dest);227 free(dest);228 }229 break;230 default:231 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */232 printLine("Benign, fixed string");233 break;234 }235}236237void CWE122_Heap_Based_Buffer_Overflow__CWE135_15_good()238{239 goodB2G1();240 goodB2G2();241 goodG2B1();242 goodG2B2();243}244245#endif /* OMITGOOD */246247/* Below is the main(). It is only used when building this testcase on248 its own for testing or for building a binary to use in testing binary249 analysis tools. It is not used when compiling all the testcases as one250 application, which is how source code analysis tools are tested. */251252#ifdef INCLUDEMAIN253254int main(int argc, char * argv[])255{256 /* seed randomness */257 srand( (unsigned)time(NULL) );258#ifndef OMITGOOD259 printLine("Calling good()...");260 CWE122_Heap_Based_Buffer_Overflow__CWE135_15_good();261 printLine("Finished good()");262#endif /* OMITGOOD */263#ifndef OMITBAD264 printLine("Calling bad()...");265 CWE122_Heap_Based_Buffer_Overflow__CWE135_15_bad();266 printLine("Finished bad()");267#endif /* OMITBAD */268 return 0;269}270271#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_06.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-06.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: memcpy12 * BadSink : Copy twoIntsStruct array to data using memcpy13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819/* The variable below is declared "const", so a tool should be able20 * to identify that reads of this will always give its initialized value. */21static const int STATIC_CONST_FIVE = 5;2223#ifndef OMITBAD2425void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_06_bad()26{✓ 27 twoIntsStruct * data;✓ 28 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));✓ 29 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));✓ 30 if(STATIC_CONST_FIVE==5)31 {32 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination33 * buffer in various memory copying functions using a "large" source buffer. */✓ 34 data = dataBadBuffer;35 }36 {✓ 37 twoIntsStruct source[100];38 {✓ 39 size_t i;40 /* Initialize array */✓ 41 for (i = 0; i < 100; i++)42 {✓ 43 source[i].intOne = 0;✓ 44 source[i].intTwo = 0;45 }46 }47 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 48 memcpy(data, source, 100*sizeof(twoIntsStruct));❗VULN✓ 49 printStructLine(&data[0]);50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */58static void goodG2B1()59{60 twoIntsStruct * data;61 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));62 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));63 if(STATIC_CONST_FIVE!=5)64 {65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */66 printLine("Benign, fixed string");67 }68 else69 {70 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */71 data = dataGoodBuffer;72 }73 {74 twoIntsStruct source[100];75 {76 size_t i;77 /* Initialize array */78 for (i = 0; i < 100; i++)79 {80 source[i].intOne = 0;81 source[i].intTwo = 0;82 }83 }84 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */85 memcpy(data, source, 100*sizeof(twoIntsStruct));86 printStructLine(&data[0]);87 }88}8990/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */91static void goodG2B2()92{93 twoIntsStruct * data;94 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));95 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));96 if(STATIC_CONST_FIVE==5)97 {98 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */99 data = dataGoodBuffer;100 }101 {102 twoIntsStruct source[100];103 {104 size_t i;105 /* Initialize array */106 for (i = 0; i < 100; i++)107 {108 source[i].intOne = 0;109 source[i].intTwo = 0;110 }111 }112 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */113 memcpy(data, source, 100*sizeof(twoIntsStruct));114 printStructLine(&data[0]);115 }116}117118void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_06_good()119{120 goodG2B1();121 goodG2B2();122}123124#endif /* OMITGOOD */125126/* Below is the main(). It is only used when building this testcase on127 * its own for testing or for building a binary to use in testing binary128 * analysis tools. It is not used when compiling all the testcases as one129 * application, which is how source code analysis tools are tested.130 */131132#ifdef INCLUDEMAIN133134int main(int argc, char * argv[])135{136 /* seed randomness */137 srand( (unsigned)time(NULL) );138#ifndef OMITGOOD139 printLine("Calling good()...");140 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_06_good();141 printLine("Finished good()");142#endif /* OMITGOOD */143#ifndef OMITBAD144 printLine("Calling bad()...");145 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_06_bad();146 printLine("Finished bad()");147#endif /* OMITBAD */148 return 0;149}150151#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 21 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fscanf_14.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE129.label.xml4Template File: sources-sinks-14.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: fscanf Read data from the console using fscanf()10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)15 *16 * */1718#include "std_testcase.h"1920#ifndef OMITBAD2122void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fscanf_14_bad()23{✓ 24 int data;25 /* Initialize data */✓ 26 data = -1;✓ 27 if(globalFive==5)28 {29 /* POTENTIAL FLAW: Read data from the console using fscanf() */✓ 30 fscanf(stdin, "%d", &data);31 }✓ 32 if(globalFive==5)33 {34 {✓ 35 int i;✓ 36 int * buffer = (int *)malloc(10 * sizeof(int));✓ 37 if (buffer == NULL) {exit(-1);}38 /* initialize buffer */✓ 39 for (i = 0; i < 10; i++)40 {✓ 41 buffer[i] = 0;42 }43 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound44 * This code does check to see if the array index is negative */✓ 45 if (data >= 0)46 {✓ 47 buffer[data] = 1;❗VULN48 /* Print the array values */✓ 49 for(i = 0; i < 10; i++)50 {✓ 51 printIntLine(buffer[i]);52 }53 }54 else55 {✓ 56 printLine("ERROR: Array index is negative.");57 }✓ 58 free(buffer);59 }60 }61}6263#endif /* OMITBAD */6465#ifndef OMITGOOD6667/* goodB2G1() - use badsource and goodsink by changing the second globalFive==5 to globalFive!=5 */68static void goodB2G1()69{70 int data;71 /* Initialize data */72 data = -1;73 if(globalFive==5)74 {75 /* POTENTIAL FLAW: Read data from the console using fscanf() */76 fscanf(stdin, "%d", &data);77 }78 if(globalFive!=5)79 {80 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */81 printLine("Benign, fixed string");82 }83 else84 {85 {86 int i;87 int * buffer = (int *)malloc(10 * sizeof(int));88 if (buffer == NULL) {exit(-1);}89 /* initialize buffer */90 for (i = 0; i < 10; i++)91 {92 buffer[i] = 0;93 }94 /* FIX: Properly validate the array index and prevent a buffer overflow */95 if (data >= 0 && data < (10))96 {97 buffer[data] = 1;98 /* Print the array values */99 for(i = 0; i < 10; i++)100 {101 printIntLine(buffer[i]);102 }103 }104 else105 {106 printLine("ERROR: Array index is out-of-bounds");107 }108 free(buffer);109 }110 }111}112113/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */114static void goodB2G2()115{116 int data;117 /* Initialize data */118 data = -1;119 if(globalFive==5)120 {121 /* POTENTIAL FLAW: Read data from the console using fscanf() */122 fscanf(stdin, "%d", &data);123 }124 if(globalFive==5)125 {126 {127 int i;128 int * buffer = (int *)malloc(10 * sizeof(int));129 if (buffer == NULL) {exit(-1);}130 /* initialize buffer */131 for (i = 0; i < 10; i++)132 {133 buffer[i] = 0;134 }135 /* FIX: Properly validate the array index and prevent a buffer overflow */136 if (data >= 0 && data < (10))137 {138 buffer[data] = 1;139 /* Print the array values */140 for(i = 0; i < 10; i++)141 {142 printIntLine(buffer[i]);143 }144 }145 else146 {147 printLine("ERROR: Array index is out-of-bounds");148 }149 free(buffer);150 }151 }152}153154/* goodG2B1() - use goodsource and badsink by changing the first globalFive==5 to globalFive!=5 */155static void goodG2B1()156{157 int data;158 /* Initialize data */159 data = -1;160 if(globalFive!=5)161 {162 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */163 printLine("Benign, fixed string");164 }165 else166 {167 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to168 * access an index of the array in the sink that is out-of-bounds */169 data = 7;170 }171 if(globalFive==5)172 {173 {174 int i;175 int * buffer = (int *)malloc(10 * sizeof(int));176 if (buffer == NULL) {exit(-1);}177 /* initialize buffer */178 for (i = 0; i < 10; i++)179 {180 buffer[i] = 0;181 }182 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound183 * This code does check to see if the array index is negative */184 if (data >= 0)185 {186 buffer[data] = 1;187 /* Print the array values */188 for(i = 0; i < 10; i++)189 {190 printIntLine(buffer[i]);191 }192 }193 else194 {195 printLine("ERROR: Array index is negative.");196 }197 free(buffer);198 }199 }200}201202/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */203static void goodG2B2()204{205 int data;206 /* Initialize data */207 data = -1;208 if(globalFive==5)209 {210 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to211 * access an index of the array in the sink that is out-of-bounds */212 data = 7;213 }214 if(globalFive==5)215 {216 {217 int i;218 int * buffer = (int *)malloc(10 * sizeof(int));219 if (buffer == NULL) {exit(-1);}220 /* initialize buffer */221 for (i = 0; i < 10; i++)222 {223 buffer[i] = 0;224 }225 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound226 * This code does check to see if the array index is negative */227 if (data >= 0)228 {229 buffer[data] = 1;230 /* Print the array values */231 for(i = 0; i < 10; i++)232 {233 printIntLine(buffer[i]);234 }235 }236 else237 {238 printLine("ERROR: Array index is negative.");239 }240 free(buffer);241 }242 }243}244245void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fscanf_14_good()246{247 goodB2G1();248 goodB2G2();249 goodG2B1();250 goodG2B2();251}252253#endif /* OMITGOOD */254255/* Below is the main(). It is only used when building this testcase on256 its own for testing or for building a binary to use in testing binary257 analysis tools. It is not used when compiling all the testcases as one258 application, which is how source code analysis tools are tested. */259260#ifdef INCLUDEMAIN261262int main(int argc, char * argv[])263{264 /* seed randomness */265 srand( (unsigned)time(NULL) );266#ifndef OMITGOOD267 printLine("Calling good()...");268 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fscanf_14_good();269 printLine("Finished good()");270#endif /* OMITGOOD */271#ifndef OMITBAD272 printLine("Calling bad()...");273 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fscanf_14_bad();274 printLine("Finished bad()");275#endif /* OMITBAD */276 return 0;277}278279#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__new_wchar_t_loop_21.cpp3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml4Template File: sources-sink-21.tmpl.cpp5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE124_Buffer_Underwrite__new_wchar_t_loop_2122{2324#ifndef OMITBAD2526/* The static variable below is used to drive control flow in the source function */27static int badStatic = 0;2829static wchar_t * badSource(wchar_t * data)30{31 if(badStatic)32 {33 {34 wchar_t * dataBuffer = new wchar_t[100];35 wmemset(dataBuffer, L'A', 100-1);36 dataBuffer[100-1] = L'\0';37 /* FLAW: Set data pointer to before the allocated memory buffer */38 data = dataBuffer - 8;39 }40 }41 return data;42}4344void bad()45{✓ 46 wchar_t * data;✓ 47 data = NULL;✓ 48 badStatic = 1; /* true */✓ 49 data = badSource(data);50 {✓ 51 size_t i;✓ 52 wchar_t source[100];✓ 53 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 54 source[100-1] = L'\0'; /* null terminate */55 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 56 for (i = 0; i < 100; i++)57 {✓ 58 data[i] = source[i];❗VULN59 }60 /* Ensure the destination buffer is null terminated */✓ 61 data[100-1] = L'\0';✓ 62 printWLine(data);63 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location64 * returned by new [] so can't safely call delete [] on it */65 }✓ 66 ;67}6869#endif /* OMITBAD */7071#ifndef OMITGOOD7273/* The static variables below are used to drive control flow in the source functions. */74static int goodG2B1Static = 0;75static int goodG2B2Static = 0;7677/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */78static wchar_t * goodG2B1Source(wchar_t * data)79{80 if(goodG2B1Static)81 {82 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */83 printLine("Benign, fixed string");84 }85 else86 {87 {88 wchar_t * dataBuffer = new wchar_t[100];89 wmemset(dataBuffer, L'A', 100-1);90 dataBuffer[100-1] = L'\0';91 /* FIX: Set data pointer to the allocated memory buffer */92 data = dataBuffer;93 }94 }95 return data;96}9798static void goodG2B1()99{100 wchar_t * data;101 data = NULL;102 goodG2B1Static = 0; /* false */103 data = goodG2B1Source(data);104 {105 size_t i;106 wchar_t source[100];107 wmemset(source, L'C', 100-1); /* fill with 'C's */108 source[100-1] = L'\0'; /* null terminate */109 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */110 for (i = 0; i < 100; i++)111 {112 data[i] = source[i];113 }114 /* Ensure the destination buffer is null terminated */115 data[100-1] = L'\0';116 printWLine(data);117 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location118 * returned by new [] so can't safely call delete [] on it */119 }120 ;121}122123/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */124static wchar_t * goodG2B2Source(wchar_t * data)125{126 if(goodG2B2Static)127 {128 {129 wchar_t * dataBuffer = new wchar_t[100];130 wmemset(dataBuffer, L'A', 100-1);131 dataBuffer[100-1] = L'\0';132 /* FIX: Set data pointer to the allocated memory buffer */133 data = dataBuffer;134 }135 }136 return data;137}138139static void goodG2B2()140{141 wchar_t * data;142 data = NULL;143 goodG2B2Static = 1; /* true */144 data = goodG2B2Source(data);145 {146 size_t i;147 wchar_t source[100];148 wmemset(source, L'C', 100-1); /* fill with 'C's */149 source[100-1] = L'\0'; /* null terminate */150 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */151 for (i = 0; i < 100; i++)152 {153 data[i] = source[i];154 }155 /* Ensure the destination buffer is null terminated */156 data[100-1] = L'\0';157 printWLine(data);158 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location159 * returned by new [] so can't safely call delete [] on it */160 }161 ;162}163164void good()165{166 goodG2B1();167 goodG2B2();168}169170#endif /* OMITGOOD */171172} /* close namespace */173174/* Below is the main(). It is only used when building this testcase on175 its own for testing or for building a binary to use in testing binary176 analysis tools. It is not used when compiling all the testcases as one177 application, which is how source code analysis tools are tested. */178179#ifdef INCLUDEMAIN180181using namespace CWE124_Buffer_Underwrite__new_wchar_t_loop_21; /* so that we can use good and bad easily */182183int main(int argc, char * argv[])184{185 /* seed randomness */186 srand( (unsigned)time(NULL) );187#ifndef OMITGOOD188 printLine("Calling good()...");189 good();190 printLine("Finished good()");191#endif /* OMITGOOD */192#ifndef OMITBAD193 printLine("Calling bad()...");194 bad();195 printLine("Finished bad()");196#endif /* OMITBAD */197 return 0;198}199200#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61a.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-61a.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sinks: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 61 Data flow: data returned from one function to another in different source files14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223/* bad function declaration */24wchar_t * CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61b_badSource(wchar_t * data);2526void CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61_bad()27{✓ 28 wchar_t * data;✓ 29 data = NULL;✓ 30 data = CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61b_badSource(data);31 {✓ 32 wchar_t dest[100];✓ 33 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 34 dest[100-1] = L'\0'; /* null terminate */35 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 36 memcpy(dest, data, 100*sizeof(wchar_t));❗VULN37 /* Ensure null termination */✓ 38 dest[100-1] = L'\0';✓ 39 printWLine(dest);40 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location41 * returned by malloc() so can't safely call free() on it */42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* goodG2B uses the GoodSource with the BadSink */50wchar_t * CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61b_goodG2BSource(wchar_t * data);5152static void goodG2B()53{54 wchar_t * data;55 data = NULL;56 data = CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61b_goodG2BSource(data);57 {58 wchar_t dest[100];59 wmemset(dest, L'C', 100-1); /* fill with 'C's */60 dest[100-1] = L'\0'; /* null terminate */61 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */62 memcpy(dest, data, 100*sizeof(wchar_t));63 /* Ensure null termination */64 dest[100-1] = L'\0';65 printWLine(dest);66 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location67 * returned by malloc() so can't safely call free() on it */68 }69}7071void CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61_good()72{73 goodG2B();74}7576#endif /* OMITGOOD */7778/* Below is the main(). It is only used when building this testcase on79 * its own for testing or for building a binary to use in testing binary80 * analysis tools. It is not used when compiling all the testcases as one81 * application, which is how source code analysis tools are tested.82 */8384#ifdef INCLUDEMAIN8586int main(int argc, char * argv[])87{88 /* seed randomness */89 srand( (unsigned)time(NULL) );90#ifndef OMITGOOD91 printLine("Calling good()...");92 CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61_good();93 printLine("Finished good()");94#endif /* OMITGOOD */95#ifndef OMITBAD96 printLine("Calling bad()...");97 CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61_bad();98 printLine("Finished bad()");99#endif /* OMITBAD */100 return 0;101}102103#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncat_04.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml4Template File: sources-sink-04.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: ncat12 * BadSink : Copy string to data using wcsncat13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are declared "const", so a tool should22 * be able to identify that reads of these will always return their23 * initialized values.24 */25static const int STATIC_CONST_TRUE = 1; /* true */26static const int STATIC_CONST_FALSE = 0; /* false */2728#ifndef OMITBAD2930void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncat_04_bad()31{✓ 32 wchar_t * data;✓ 33 data = NULL;✓ 34 if(STATIC_CONST_TRUE)35 {36 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 37 data = (wchar_t *)malloc(50*sizeof(wchar_t));✓ 38 if (data == NULL) {exit(-1);}✓ 39 data[0] = L'\0'; /* null terminate */40 }41 {✓ 42 wchar_t source[100];✓ 43 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 44 source[100-1] = L'\0'; /* null terminate */45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */✓ 46 wcsncat(data, source, 100);❗VULN✓ 47 printWLine(data);✓ 48 free(data);49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */57static void goodG2B1()58{59 wchar_t * data;60 data = NULL;61 if(STATIC_CONST_FALSE)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */69 data = (wchar_t *)malloc(100*sizeof(wchar_t));70 if (data == NULL) {exit(-1);}71 data[0] = L'\0'; /* null terminate */72 }73 {74 wchar_t source[100];75 wmemset(source, L'C', 100-1); /* fill with L'C's */76 source[100-1] = L'\0'; /* null terminate */77 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */78 wcsncat(data, source, 100);79 printWLine(data);80 free(data);81 }82}8384/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */85static void goodG2B2()86{87 wchar_t * data;88 data = NULL;89 if(STATIC_CONST_TRUE)90 {91 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */92 data = (wchar_t *)malloc(100*sizeof(wchar_t));93 if (data == NULL) {exit(-1);}94 data[0] = L'\0'; /* null terminate */95 }96 {97 wchar_t source[100];98 wmemset(source, L'C', 100-1); /* fill with L'C's */99 source[100-1] = L'\0'; /* null terminate */100 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */101 wcsncat(data, source, 100);102 printWLine(data);103 free(data);104 }105}106107void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncat_04_good()108{109 goodG2B1();110 goodG2B2();111}112113#endif /* OMITGOOD */114115/* Below is the main(). It is only used when building this testcase on116 * its own for testing or for building a binary to use in testing binary117 * analysis tools. It is not used when compiling all the testcases as one118 * application, which is how source code analysis tools are tested.119 */120121#ifdef INCLUDEMAIN122123int main(int argc, char * argv[])124{125 /* seed randomness */126 srand( (unsigned)time(NULL) );127#ifndef OMITGOOD128 printLine("Calling good()...");129 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncat_04_good();130 printLine("Finished good()");131#endif /* OMITGOOD */132#ifndef OMITBAD133 printLine("Calling bad()...");134 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncat_04_bad();135 printLine("Finished bad()");136#endif /* OMITBAD */137 return 0;138}139140#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__new_char_memmove_06.cpp3Label Definition File: CWE126_Buffer_Overread__new.label.xml4Template File: sources-sink-06.tmpl.cpp5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Use a small buffer10 * GoodSource: Use a large buffer11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is declared "const", so a tool should be able22 to identify that reads of this will always give its initialized23 value. */24static const int STATIC_CONST_FIVE = 5;2526namespace CWE126_Buffer_Overread__new_char_memmove_0627{2829#ifndef OMITBAD3031void bad()32{✓ 33 char * data;✓ 34 data = NULL;✓ 35 if(STATIC_CONST_FIVE==5)36 {37 /* FLAW: Use a small buffer */✓ 38 data = new char[50];✓ 39 memset(data, 'A', 50-1); /* fill with 'A's */✓ 40 data[50-1] = '\0'; /* null terminate */41 }42 {✓ 43 char dest[100];✓ 44 memset(dest, 'C', 100-1);✓ 45 dest[100-1] = '\0'; /* null terminate */46 /* POTENTIAL FLAW: using memmove with the length of the dest where data47 * could be smaller than dest causing buffer overread */✓ 48 memmove(dest, data, strlen(dest)*sizeof(char));❗VULN✓ 49 dest[100-1] = '\0';✓ 50 printLine(dest);✓ 51 delete [] data;52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */60static void goodG2B1()61{62 char * data;63 data = NULL;64 if(STATIC_CONST_FIVE!=5)65 {66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */67 printLine("Benign, fixed string");68 }69 else70 {71 /* FIX: Use a large buffer */72 data = new char[100];73 memset(data, 'A', 100-1); /* fill with 'A's */74 data[100-1] = '\0'; /* null terminate */75 }76 {77 char dest[100];78 memset(dest, 'C', 100-1);79 dest[100-1] = '\0'; /* null terminate */80 /* POTENTIAL FLAW: using memmove with the length of the dest where data81 * could be smaller than dest causing buffer overread */82 memmove(dest, data, strlen(dest)*sizeof(char));83 dest[100-1] = '\0';84 printLine(dest);85 delete [] data;86 }87}8889/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */90static void goodG2B2()91{92 char * data;93 data = NULL;94 if(STATIC_CONST_FIVE==5)95 {96 /* FIX: Use a large buffer */97 data = new char[100];98 memset(data, 'A', 100-1); /* fill with 'A's */99 data[100-1] = '\0'; /* null terminate */100 }101 {102 char dest[100];103 memset(dest, 'C', 100-1);104 dest[100-1] = '\0'; /* null terminate */105 /* POTENTIAL FLAW: using memmove with the length of the dest where data106 * could be smaller than dest causing buffer overread */107 memmove(dest, data, strlen(dest)*sizeof(char));108 dest[100-1] = '\0';109 printLine(dest);110 delete [] data;111 }112}113114void good()115{116 goodG2B1();117 goodG2B2();118}119120#endif /* OMITGOOD */121122} /* close namespace */123124/* Below is the main(). It is only used when building this testcase on125 its own for testing or for building a binary to use in testing binary126 analysis tools. It is not used when compiling all the testcases as one127 application, which is how source code analysis tools are tested. */128129#ifdef INCLUDEMAIN130131using namespace CWE126_Buffer_Overread__new_char_memmove_06; /* so that we can use good and bad easily */132133int main(int argc, char * argv[])134{135 /* seed randomness */136 srand( (unsigned)time(NULL) );137#ifndef OMITGOOD138 printLine("Calling good()...");139 good();140 printLine("Finished good()");141#endif /* OMITGOOD */142#ifndef OMITBAD143 printLine("Calling bad()...");144 bad();145 printLine("Finished bad()");146#endif /* OMITBAD */147 return 0;148}149150#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_wchar_t_loop_68b.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-68b.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different source files14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021extern wchar_t * CWE127_Buffer_Underread__malloc_wchar_t_loop_68_badData;22extern wchar_t * CWE127_Buffer_Underread__malloc_wchar_t_loop_68_goodG2BData;2324/* all the sinks are the same, we just want to know where the hit originated if a tool flags one */2526#ifndef OMITBAD2728void CWE127_Buffer_Underread__malloc_wchar_t_loop_68b_badSink()29{✓ 30 wchar_t * data = CWE127_Buffer_Underread__malloc_wchar_t_loop_68_badData;31 {✓ 32 size_t i;✓ 33 wchar_t dest[100];✓ 34 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 35 dest[100-1] = L'\0'; /* null terminate */36 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 37 for (i = 0; i < 100; i++)38 {✓ 39 dest[i] = data[i];❗VULN40 }41 /* Ensure null termination */✓ 42 dest[100-1] = L'\0';✓ 43 printWLine(dest);44 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location45 * returned by malloc() so can't safely call free() on it */46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodG2B uses the GoodSource with the BadSink */54void CWE127_Buffer_Underread__malloc_wchar_t_loop_68b_goodG2BSink()55{56 wchar_t * data = CWE127_Buffer_Underread__malloc_wchar_t_loop_68_goodG2BData;57 {58 size_t i;59 wchar_t dest[100];60 wmemset(dest, L'C', 100-1); /* fill with 'C's */61 dest[100-1] = L'\0'; /* null terminate */62 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */63 for (i = 0; i < 100; i++)64 {65 dest[i] = data[i];66 }67 /* Ensure null termination */68 dest[100-1] = L'\0';69 printWLine(dest);70 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location71 * returned by malloc() so can't safely call free() on it */72 }73}7475#endif /* OMITGOOD */
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__new_wchar_t_memcpy_04.cpp3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml4Template File: sources-sink-04.tmpl.cpp5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are declared "const", so a tool should22 be able to identify that reads of these will always return their23 initialized values. */24static const int STATIC_CONST_TRUE = 1; /* true */25static const int STATIC_CONST_FALSE = 0; /* false */2627namespace CWE124_Buffer_Underwrite__new_wchar_t_memcpy_0428{2930#ifndef OMITBAD3132void bad()33{✓ 34 wchar_t * data;✓ 35 data = NULL;✓ 36 if(STATIC_CONST_TRUE)37 {38 {✓ 39 wchar_t * dataBuffer = new wchar_t[100];✓ 40 wmemset(dataBuffer, L'A', 100-1);✓ 41 dataBuffer[100-1] = L'\0';42 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 43 data = dataBuffer - 8;44 }45 }46 {✓ 47 wchar_t source[100];✓ 48 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 49 source[100-1] = L'\0'; /* null terminate */50 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 51 memcpy(data, source, 100*sizeof(wchar_t));❗VULN52 /* Ensure the destination buffer is null terminated */✓ 53 data[100-1] = L'\0';✓ 54 printWLine(data);55 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location56 * returned by new [] so can't safely call delete [] on it */57 }58}5960#endif /* OMITBAD */6162#ifndef OMITGOOD6364/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */65static void goodG2B1()66{67 wchar_t * data;68 data = NULL;69 if(STATIC_CONST_FALSE)70 {71 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */72 printLine("Benign, fixed string");73 }74 else75 {76 {77 wchar_t * dataBuffer = new wchar_t[100];78 wmemset(dataBuffer, L'A', 100-1);79 dataBuffer[100-1] = L'\0';80 /* FIX: Set data pointer to the allocated memory buffer */81 data = dataBuffer;82 }83 }84 {85 wchar_t source[100];86 wmemset(source, L'C', 100-1); /* fill with 'C's */87 source[100-1] = L'\0'; /* null terminate */88 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */89 memcpy(data, source, 100*sizeof(wchar_t));90 /* Ensure the destination buffer is null terminated */91 data[100-1] = L'\0';92 printWLine(data);93 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location94 * returned by new [] so can't safely call delete [] on it */95 }96}9798/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */99static void goodG2B2()100{101 wchar_t * data;102 data = NULL;103 if(STATIC_CONST_TRUE)104 {105 {106 wchar_t * dataBuffer = new wchar_t[100];107 wmemset(dataBuffer, L'A', 100-1);108 dataBuffer[100-1] = L'\0';109 /* FIX: Set data pointer to the allocated memory buffer */110 data = dataBuffer;111 }112 }113 {114 wchar_t source[100];115 wmemset(source, L'C', 100-1); /* fill with 'C's */116 source[100-1] = L'\0'; /* null terminate */117 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */118 memcpy(data, source, 100*sizeof(wchar_t));119 /* Ensure the destination buffer is null terminated */120 data[100-1] = L'\0';121 printWLine(data);122 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location123 * returned by new [] so can't safely call delete [] on it */124 }125}126127void good()128{129 goodG2B1();130 goodG2B2();131}132133#endif /* OMITGOOD */134135} /* close namespace */136137/* Below is the main(). It is only used when building this testcase on138 its own for testing or for building a binary to use in testing binary139 analysis tools. It is not used when compiling all the testcases as one140 application, which is how source code analysis tools are tested. */141142#ifdef INCLUDEMAIN143144using namespace CWE124_Buffer_Underwrite__new_wchar_t_memcpy_04; /* so that we can use good and bad easily */145146int main(int argc, char * argv[])147{148 /* seed randomness */149 srand( (unsigned)time(NULL) );150#ifndef OMITGOOD151 printLine("Calling good()...");152 good();153 printLine("Finished good()");154#endif /* OMITGOOD */155#ifndef OMITBAD156 printLine("Calling bad()...");157 bad();158 printLine("Finished bad()");159#endif /* OMITBAD */160 return 0;161}162163#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_02.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-02.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: ncat12 * BadSink : Copy string to data using wcsncat13 * Flow Variant: 02 Control flow: if(1) and if(0)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_0222{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 data = NULL;✓ 30 if(1)31 {32 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 33 data = new wchar_t[50];✓ 34 data[0] = L'\0'; /* null terminate */35 }36 {✓ 37 wchar_t source[100];✓ 38 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 39 source[100-1] = L'\0'; /* null terminate */40 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */✓ 41 wcsncat(data, source, 100);❗VULN✓ 42 printWLine(data);✓ 43 delete [] data;44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */52static void goodG2B1()53{54 wchar_t * data;55 data = NULL;56 if(0)57 {58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */59 printLine("Benign, fixed string");60 }61 else62 {63 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */64 data = new wchar_t[100];65 data[0] = L'\0'; /* null terminate */66 }67 {68 wchar_t source[100];69 wmemset(source, L'C', 100-1); /* fill with L'C's */70 source[100-1] = L'\0'; /* null terminate */71 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */72 wcsncat(data, source, 100);73 printWLine(data);74 delete [] data;75 }76}7778/* goodG2B2() - use goodsource and badsink by reversing the statements in the if */79static void goodG2B2()80{81 wchar_t * data;82 data = NULL;83 if(1)84 {85 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */86 data = new wchar_t[100];87 data[0] = L'\0'; /* null terminate */88 }89 {90 wchar_t source[100];91 wmemset(source, L'C', 100-1); /* fill with L'C's */92 source[100-1] = L'\0'; /* null terminate */93 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */94 wcsncat(data, source, 100);95 printWLine(data);96 delete [] data;97 }98}99100void good()101{102 goodG2B1();103 goodG2B2();104}105106#endif /* OMITGOOD */107108} /* close namespace */109110/* Below is the main(). It is only used when building this testcase on111 its own for testing or for building a binary to use in testing binary112 analysis tools. It is not used when compiling all the testcases as one113 application, which is how source code analysis tools are tested. */114115#ifdef INCLUDEMAIN116117using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_02; /* so that we can use good and bad easily */118119int main(int argc, char * argv[])120{121 /* seed randomness */122 srand( (unsigned)time(NULL) );123#ifndef OMITGOOD124 printLine("Calling good()...");125 good();126 printLine("Finished good()");127#endif /* OMITGOOD */128#ifndef OMITBAD129 printLine("Calling bad()...");130 bad();131 printLine("Finished bad()");132#endif /* OMITBAD */133 return 0;134}135136#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 19 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__malloc_wchar_t_loop_02.c3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml4Template File: sources-sink-02.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 02 Control flow: if(1) and if(0)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__malloc_wchar_t_loop_02_bad()24{✓ 25 wchar_t * data;✓ 26 data = NULL;✓ 27 if(1)28 {29 {✓ 30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 31 if (dataBuffer == NULL) {exit(-1);}✓ 32 wmemset(dataBuffer, L'A', 100-1);✓ 33 dataBuffer[100-1] = L'\0';34 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 35 data = dataBuffer - 8;36 }37 }38 {✓ 39 size_t i;✓ 40 wchar_t source[100];✓ 41 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 42 source[100-1] = L'\0'; /* null terminate */43 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 44 for (i = 0; i < 100; i++)45 {✓ 46 data[i] = source[i];❗VULN47 }48 /* Ensure the destination buffer is null terminated */✓ 49 data[100-1] = L'\0';✓ 50 printWLine(data);51 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location52 * returned by malloc() so can't safely call free() on it */53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */61static void goodG2B1()62{63 wchar_t * data;64 data = NULL;65 if(0)66 {67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */68 printLine("Benign, fixed string");69 }70 else71 {72 {73 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));74 if (dataBuffer == NULL) {exit(-1);}75 wmemset(dataBuffer, L'A', 100-1);76 dataBuffer[100-1] = L'\0';77 /* FIX: Set data pointer to the allocated memory buffer */78 data = dataBuffer;79 }80 }81 {82 size_t i;83 wchar_t source[100];84 wmemset(source, L'C', 100-1); /* fill with 'C's */85 source[100-1] = L'\0'; /* null terminate */86 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */87 for (i = 0; i < 100; i++)88 {89 data[i] = source[i];90 }91 /* Ensure the destination buffer is null terminated */92 data[100-1] = L'\0';93 printWLine(data);94 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location95 * returned by malloc() so can't safely call free() on it */96 }97}9899/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */100static void goodG2B2()101{102 wchar_t * data;103 data = NULL;104 if(1)105 {106 {107 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));108 if (dataBuffer == NULL) {exit(-1);}109 wmemset(dataBuffer, L'A', 100-1);110 dataBuffer[100-1] = L'\0';111 /* FIX: Set data pointer to the allocated memory buffer */112 data = dataBuffer;113 }114 }115 {116 size_t i;117 wchar_t source[100];118 wmemset(source, L'C', 100-1); /* fill with 'C's */119 source[100-1] = L'\0'; /* null terminate */120 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */121 for (i = 0; i < 100; i++)122 {123 data[i] = source[i];124 }125 /* Ensure the destination buffer is null terminated */126 data[100-1] = L'\0';127 printWLine(data);128 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location129 * returned by malloc() so can't safely call free() on it */130 }131}132133void CWE124_Buffer_Underwrite__malloc_wchar_t_loop_02_good()134{135 goodG2B1();136 goodG2B2();137}138139#endif /* OMITGOOD */140141/* Below is the main(). It is only used when building this testcase on142 * its own for testing or for building a binary to use in testing binary143 * analysis tools. It is not used when compiling all the testcases as one144 * application, which is how source code analysis tools are tested.145 */146147#ifdef INCLUDEMAIN148149int main(int argc, char * argv[])150{151 /* seed randomness */152 srand( (unsigned)time(NULL) );153#ifndef OMITGOOD154 printLine("Calling good()...");155 CWE124_Buffer_Underwrite__malloc_wchar_t_loop_02_good();156 printLine("Finished good()");157#endif /* OMITGOOD */158#ifndef OMITBAD159 printLine("Calling bad()...");160 CWE124_Buffer_Underwrite__malloc_wchar_t_loop_02_bad();161 printLine("Finished bad()");162#endif /* OMITBAD */163 return 0;164}165166#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 6 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__CWE170_char_strncpy_11.c3Label Definition File: CWE126_Buffer_Overread__CWE170.label.xml4Template File: point-flaw-11.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Overread9 * Sinks: strncpy10 * GoodSink: Copy a string using strncpy() with explicit null termination11 * BadSink : Copy a string using strncpy() without explicit null termination12 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())13 *14 * */1516#include "std_testcase.h"1718#include <wchar.h>1920#ifndef OMITBAD2122void CWE126_Buffer_Overread__CWE170_char_strncpy_11_bad()23{✓ 24 if(globalReturnsTrue())25 {26 {✓ 27 char data[150], dest[100];28 /* Initialize data */✓ 29 memset(data, 'A', 149);✓ 30 data[149] = '\0';31 /* strncpy() does not null terminate if the string in the src buffer is larger than32 * the number of characters being copied to the dest buffer */✓ 33 strncpy(dest, data, 99);34 /* FLAW: do not explicitly null terminate dest after the use of strncpy() */✓ 35 printLine(dest);❗VULN36 }37 }38}3940#endif /* OMITBAD */4142#ifndef OMITGOOD4344/* good1() uses if(globalReturnsFalse()) instead of if(globalReturnsTrue()) */45static void good1()46{47 if(globalReturnsFalse())48 {49 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */50 printLine("Benign, fixed string");51 }52 else53 {54 {55 char data[150], dest[100];56 /* Initialize data */57 memset(data, 'A', 149);58 data[149] = '\0';59 /* strncpy() does not null terminate if the string in the src buffer is larger than60 * the number of characters being copied to the dest buffer */61 strncpy(dest, data, 99);62 dest[99] = '\0'; /* FIX: Explicitly null terminate dest after the use of strncpy() */63 printLine(dest);64 }65 }66}6768/* good2() reverses the bodies in the if statement */69static void good2()70{71 if(globalReturnsTrue())72 {73 {74 char data[150], dest[100];75 /* Initialize data */76 memset(data, 'A', 149);77 data[149] = '\0';78 /* strncpy() does not null terminate if the string in the src buffer is larger than79 * the number of characters being copied to the dest buffer */80 strncpy(dest, data, 99);81 dest[99] = '\0'; /* FIX: Explicitly null terminate dest after the use of strncpy() */82 printLine(dest);83 }84 }85}8687void CWE126_Buffer_Overread__CWE170_char_strncpy_11_good()88{89 good1();90 good2();91}9293#endif /* OMITGOOD */9495/* Below is the main(). It is only used when building this testcase on96 its own for testing or for building a binary to use in testing binary97 analysis tools. It is not used when compiling all the testcases as one98 application, which is how source code analysis tools are tested. */99100#ifdef INCLUDEMAIN101102int main(int argc, char * argv[])103{104 /* seed randomness */105 srand( (unsigned)time(NULL) );106#ifndef OMITGOOD107 printLine("Calling good()...");108 CWE126_Buffer_Overread__CWE170_char_strncpy_11_good();109 printLine("Finished good()");110#endif /* OMITGOOD */111#ifndef OMITBAD112 printLine("Calling bad()...");113 CWE126_Buffer_Overread__CWE170_char_strncpy_11_bad();114 printLine("Finished bad()");115#endif /* OMITBAD */116 return 0;117}118119#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_33.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml4Template File: sources-sink-33.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sinks: memmove12 * BadSink : Copy string to data using memmove()13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526namespace CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_3327{2829#ifndef OMITBAD3031void bad()32{✓ 33 char * data;✓ 34 char * &dataRef = data;✓ 35 data = NULL;36 /* FLAW: Did not leave space for a null terminator */✓ 37 data = (char *)malloc(10*sizeof(char));✓ 38 if (data == NULL) {exit(-1);}39 {✓ 40 char * data = dataRef;41 {✓ 42 char source[10+1] = SRC_STRING;43 /* Copy length + 1 to include NUL terminator from source */44 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 45 memmove(data, source, (strlen(source) + 1) * sizeof(char));❗VULN✓ 46 printLine(data);✓ 47 free(data);48 }49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B() uses the GoodSource with the BadSink */57static void goodG2B()58{59 char * data;60 char * &dataRef = data;61 data = NULL;62 /* FIX: Allocate space for a null terminator */63 data = (char *)malloc((10+1)*sizeof(char));64 if (data == NULL) {exit(-1);}65 {66 char * data = dataRef;67 {68 char source[10+1] = SRC_STRING;69 /* Copy length + 1 to include NUL terminator from source */70 /* POTENTIAL FLAW: data may not have enough space to hold source */71 memmove(data, source, (strlen(source) + 1) * sizeof(char));72 printLine(data);73 free(data);74 }75 }76}7778void good()79{80 goodG2B();81}8283#endif /* OMITGOOD */8485} /* close namespace */8687/* Below is the main(). It is only used when building this testcase on88 * its own for testing or for building a binary to use in testing binary89 * analysis tools. It is not used when compiling all the testcases as one90 * application, which is how source code analysis tools are tested.91 */92#ifdef INCLUDEMAIN9394using namespace CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_33; /* so that we can use good and bad easily */9596int main(int argc, char * argv[])97{98 /* seed randomness */99 srand( (unsigned)time(NULL) );100#ifndef OMITGOOD101 printLine("Calling good()...");102 good();103 printLine("Finished good()");104#endif /* OMITGOOD */105#ifndef OMITBAD106 printLine("Calling bad()...");107 bad();108 printLine("Finished bad()");109#endif /* OMITBAD */110 return 0;111}112113#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_04.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-04.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: ncpy12 * BadSink : Copy string to data using strncpy13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are declared "const", so a tool should22 be able to identify that reads of these will always return their23 initialized values. */24static const int STATIC_CONST_TRUE = 1; /* true */25static const int STATIC_CONST_FALSE = 0; /* false */2627namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_0428{2930#ifndef OMITBAD3132void bad()33{✓ 34 char * data;✓ 35 data = NULL;✓ 36 if(STATIC_CONST_TRUE)37 {38 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 39 data = new char[50];✓ 40 data[0] = '\0'; /* null terminate */41 }42 {✓ 43 char source[100];✓ 44 memset(source, 'C', 100-1); /* fill with 'C's */✓ 45 source[100-1] = '\0'; /* null terminate */46 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 47 strncpy(data, source, 100-1);❗VULN✓ 48 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 49 printLine(data);✓ 50 delete [] data;51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */59static void goodG2B1()60{61 char * data;62 data = NULL;63 if(STATIC_CONST_FALSE)64 {65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */66 printLine("Benign, fixed string");67 }68 else69 {70 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */71 data = new char[100];72 data[0] = '\0'; /* null terminate */73 }74 {75 char source[100];76 memset(source, 'C', 100-1); /* fill with 'C's */77 source[100-1] = '\0'; /* null terminate */78 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */79 strncpy(data, source, 100-1);80 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */81 printLine(data);82 delete [] data;83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 char * data;90 data = NULL;91 if(STATIC_CONST_TRUE)92 {93 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */94 data = new char[100];95 data[0] = '\0'; /* null terminate */96 }97 {98 char source[100];99 memset(source, 'C', 100-1); /* fill with 'C's */100 source[100-1] = '\0'; /* null terminate */101 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */102 strncpy(data, source, 100-1);103 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */104 printLine(data);105 delete [] data;106 }107}108109void good()110{111 goodG2B1();112 goodG2B2();113}114115#endif /* OMITGOOD */116117} /* close namespace */118119/* Below is the main(). It is only used when building this testcase on120 its own for testing or for building a binary to use in testing binary121 analysis tools. It is not used when compiling all the testcases as one122 application, which is how source code analysis tools are tested. */123124#ifdef INCLUDEMAIN125126using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_04; /* so that we can use good and bad easily */127128int main(int argc, char * argv[])129{130 /* seed randomness */131 srand( (unsigned)time(NULL) );132#ifndef OMITGOOD133 printLine("Calling good()...");134 good();135 printLine("Finished good()");136#endif /* OMITGOOD */137#ifndef OMITBAD138 printLine("Calling bad()...");139 bad();140 printLine("Finished bad()");141#endif /* OMITBAD */142 return 0;143}144145#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_13.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-13.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: ncpy12 * BadSink : Copy string to data using strncpy13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_1322{2324#ifndef OMITBAD2526void bad()27{✓ 28 char * data;✓ 29 data = NULL;✓ 30 if(GLOBAL_CONST_FIVE==5)31 {32 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 33 data = new char[50];✓ 34 data[0] = '\0'; /* null terminate */35 }36 {✓ 37 char source[100];✓ 38 memset(source, 'C', 100-1); /* fill with 'C's */✓ 39 source[100-1] = '\0'; /* null terminate */40 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 41 strncpy(data, source, 100-1);❗VULN✓ 42 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 43 printLine(data);✓ 44 delete [] data;45 }46}4748#endif /* OMITBAD */4950#ifndef OMITGOOD5152/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */53static void goodG2B1()54{55 char * data;56 data = NULL;57 if(GLOBAL_CONST_FIVE!=5)58 {59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */60 printLine("Benign, fixed string");61 }62 else63 {64 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */65 data = new char[100];66 data[0] = '\0'; /* null terminate */67 }68 {69 char source[100];70 memset(source, 'C', 100-1); /* fill with 'C's */71 source[100-1] = '\0'; /* null terminate */72 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */73 strncpy(data, source, 100-1);74 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */75 printLine(data);76 delete [] data;77 }78}7980/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */81static void goodG2B2()82{83 char * data;84 data = NULL;85 if(GLOBAL_CONST_FIVE==5)86 {87 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */88 data = new char[100];89 data[0] = '\0'; /* null terminate */90 }91 {92 char source[100];93 memset(source, 'C', 100-1); /* fill with 'C's */94 source[100-1] = '\0'; /* null terminate */95 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */96 strncpy(data, source, 100-1);97 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */98 printLine(data);99 delete [] data;100 }101}102103void good()104{105 goodG2B1();106 goodG2B2();107}108109#endif /* OMITGOOD */110111} /* close namespace */112113/* Below is the main(). It is only used when building this testcase on114 its own for testing or for building a binary to use in testing binary115 analysis tools. It is not used when compiling all the testcases as one116 application, which is how source code analysis tools are tested. */117118#ifdef INCLUDEMAIN119120using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_13; /* so that we can use good and bad easily */121122int main(int argc, char * argv[])123{124 /* seed randomness */125 srand( (unsigned)time(NULL) );126#ifndef OMITGOOD127 printLine("Calling good()...");128 good();129 printLine("Finished good()");130#endif /* OMITGOOD */131#ifndef OMITBAD132 printLine("Calling bad()...");133 bad();134 printLine("Finished bad()");135#endif /* OMITBAD */136 return 0;137}138139#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_10.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__src.label.xml4Template File: sources-sink-10.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: cat12 * BadSink : Copy data to string using strcat13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_10_bad()24{✓ 25 char * data;✓ 26 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));✓ 27 data = dataBuffer;✓ 28 if(globalTrue)29 {30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 31 memset(data, 'A', 100-1); /* fill with 'A's */✓ 32 data[100-1] = '\0'; /* null terminate */33 }34 {✓ 35 char dest[50] = "";36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/✓ 37 strcat(dest, data);❗VULN✓ 38 printLine(data);39 }40}4142#endif /* OMITBAD */4344#ifndef OMITGOOD4546/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */47static void goodG2B1()48{49 char * data;50 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));51 data = dataBuffer;52 if(globalFalse)53 {54 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */55 printLine("Benign, fixed string");56 }57 else58 {59 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */60 memset(data, 'A', 50-1); /* fill with 'A's */61 data[50-1] = '\0'; /* null terminate */62 }63 {64 char dest[50] = "";65 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/66 strcat(dest, data);67 printLine(data);68 }69}7071/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */72static void goodG2B2()73{74 char * data;75 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));76 data = dataBuffer;77 if(globalTrue)78 {79 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */80 memset(data, 'A', 50-1); /* fill with 'A's */81 data[50-1] = '\0'; /* null terminate */82 }83 {84 char dest[50] = "";85 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/86 strcat(dest, data);87 printLine(data);88 }89}9091void CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_10_good()92{93 goodG2B1();94 goodG2B2();95}9697#endif /* OMITGOOD */9899/* Below is the main(). It is only used when building this testcase on100 * its own for testing or for building a binary to use in testing binary101 * analysis tools. It is not used when compiling all the testcases as one102 * application, which is how source code analysis tools are tested.103 */104105#ifdef INCLUDEMAIN106107int main(int argc, char * argv[])108{109 /* seed randomness */110 srand( (unsigned)time(NULL) );111#ifndef OMITGOOD112 printLine("Calling good()...");113 CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_10_good();114 printLine("Finished good()");115#endif /* OMITGOOD */116#ifndef OMITBAD117 printLine("Calling bad()...");118 CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_10_bad();119 printLine("Finished bad()");120#endif /* OMITBAD */121 return 0;122}123124#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__wchar_t_alloca_ncpy_16.c3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml4Template File: sources-sink-16.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: ncpy12 * BadSink : Copy string to data using wcsncpy13 * Flow Variant: 16 Control flow: while(1)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__wchar_t_alloca_ncpy_16_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 27 wmemset(dataBuffer, L'A', 100-1);✓ 28 dataBuffer[100-1] = L'\0';✓ 29 while(1)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;✓ 33 break;34 }35 {✓ 36 wchar_t source[100];✓ 37 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 38 source[100-1] = L'\0'; /* null terminate */39 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 40 wcsncpy(data, source, 100-1);❗VULN41 /* Ensure the destination buffer is null terminated */✓ 42 data[100-1] = L'\0';✓ 43 printWLine(data);44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */52static void goodG2B()53{54 wchar_t * data;55 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));56 wmemset(dataBuffer, L'A', 100-1);57 dataBuffer[100-1] = L'\0';58 while(1)59 {60 /* FIX: Set data pointer to the allocated memory buffer */61 data = dataBuffer;62 break;63 }64 {65 wchar_t source[100];66 wmemset(source, L'C', 100-1); /* fill with 'C's */67 source[100-1] = L'\0'; /* null terminate */68 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */69 wcsncpy(data, source, 100-1);70 /* Ensure the destination buffer is null terminated */71 data[100-1] = L'\0';72 printWLine(data);73 }74}7576void CWE124_Buffer_Underwrite__wchar_t_alloca_ncpy_16_good()77{78 goodG2B();79}8081#endif /* OMITGOOD */8283/* Below is the main(). It is only used when building this testcase on84 * its own for testing or for building a binary to use in testing binary85 * analysis tools. It is not used when compiling all the testcases as one86 * application, which is how source code analysis tools are tested.87 */8889#ifdef INCLUDEMAIN9091int main(int argc, char * argv[])92{93 /* seed randomness */94 srand( (unsigned)time(NULL) );95#ifndef OMITGOOD96 printLine("Calling good()...");97 CWE124_Buffer_Underwrite__wchar_t_alloca_ncpy_16_good();98 printLine("Finished good()");99#endif /* OMITGOOD */100#ifndef OMITBAD101 printLine("Calling bad()...");102 CWE124_Buffer_Underwrite__wchar_t_alloca_ncpy_16_bad();103 printLine("Finished bad()");104#endif /* OMITBAD */105 return 0;106}107108#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml4Template File: sources-sink-34.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sinks: ncat12 * BadSink : Copy string to data using strncat13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021typedef union22{23 char * unionFirst;24 char * unionSecond;25} CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_unionType;2627#ifndef OMITBAD2829void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_bad()30{✓ 31 char * data;✓ 32 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_unionType myUnion;✓ 33 data = NULL;34 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 35 data = (char *)malloc(50*sizeof(char));✓ 36 if (data == NULL) {exit(-1);}✓ 37 data[0] = '\0'; /* null terminate */✓ 38 myUnion.unionFirst = data;39 {✓ 40 char * data = myUnion.unionSecond;41 {✓ 42 char source[100];✓ 43 memset(source, 'C', 100-1); /* fill with 'C's */✓ 44 source[100-1] = '\0'; /* null terminate */45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */✓ 46 strncat(data, source, 100);❗VULN✓ 47 printLine(data);✓ 48 free(data);49 }50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B() uses the GoodSource with the BadSink */58static void goodG2B()59{60 char * data;61 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_unionType myUnion;62 data = NULL;63 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */64 data = (char *)malloc(100*sizeof(char));65 if (data == NULL) {exit(-1);}66 data[0] = '\0'; /* null terminate */67 myUnion.unionFirst = data;68 {69 char * data = myUnion.unionSecond;70 {71 char source[100];72 memset(source, 'C', 100-1); /* fill with 'C's */73 source[100-1] = '\0'; /* null terminate */74 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */75 strncat(data, source, 100);76 printLine(data);77 free(data);78 }79 }80}8182void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_good()83{84 goodG2B();85}8687#endif /* OMITGOOD */8889/* Below is the main(). It is only used when building this testcase on90 * its own for testing or for building a binary to use in testing binary91 * analysis tools. It is not used when compiling all the testcases as one92 * application, which is how source code analysis tools are tested.93 */94#ifdef INCLUDEMAIN9596int main(int argc, char * argv[])97{98 /* seed randomness */99 srand( (unsigned)time(NULL) );100#ifndef OMITGOOD101 printLine("Calling good()...");102 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_good();103 printLine("Finished good()");104#endif /* OMITGOOD */105#ifndef OMITBAD106 printLine("Calling bad()...");107 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_bad();108 printLine("Finished bad()");109#endif /* OMITBAD */110 return 0;111}112113#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 17 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__new_wchar_t_memcpy_32.cpp3Label Definition File: CWE127_Buffer_Underread__new.label.xml4Template File: sources-sink-32.tmpl.cpp5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE127_Buffer_Underread__new_wchar_t_memcpy_3222{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 wchar_t * *dataPtr1 = &data;✓ 30 wchar_t * *dataPtr2 = &data;✓ 31 data = NULL;32 {✓ 33 wchar_t * data = *dataPtr1;34 {✓ 35 wchar_t * dataBuffer = new wchar_t[100];✓ 36 wmemset(dataBuffer, L'A', 100-1);✓ 37 dataBuffer[100-1] = L'\0';38 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 39 data = dataBuffer - 8;40 }✓ 41 *dataPtr1 = data;42 }43 {✓ 44 wchar_t * data = *dataPtr2;45 {✓ 46 wchar_t dest[100];✓ 47 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 48 dest[100-1] = L'\0'; /* null terminate */49 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 50 memcpy(dest, data, 100*sizeof(wchar_t));❗VULN51 /* Ensure null termination */✓ 52 dest[100-1] = L'\0';✓ 53 printWLine(dest);54 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location55 * returned by new [] so can't safely call delete [] on it */56 }57 }58}5960#endif /* OMITBAD */6162#ifndef OMITGOOD6364/* goodG2B() uses the GoodSource with the BadSink */65static void goodG2B()66{67 wchar_t * data;68 wchar_t * *dataPtr1 = &data;69 wchar_t * *dataPtr2 = &data;70 data = NULL;71 {72 wchar_t * data = *dataPtr1;73 {74 wchar_t * dataBuffer = new wchar_t[100];75 wmemset(dataBuffer, L'A', 100-1);76 dataBuffer[100-1] = L'\0';77 /* FIX: Set data pointer to the allocated memory buffer */78 data = dataBuffer;79 }80 *dataPtr1 = data;81 }82 {83 wchar_t * data = *dataPtr2;84 {85 wchar_t dest[100];86 wmemset(dest, L'C', 100-1); /* fill with 'C's */87 dest[100-1] = L'\0'; /* null terminate */88 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */89 memcpy(dest, data, 100*sizeof(wchar_t));90 /* Ensure null termination */91 dest[100-1] = L'\0';92 printWLine(dest);93 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location94 * returned by new [] so can't safely call delete [] on it */95 }96 }97}9899void good()100{101 goodG2B();102}103104#endif /* OMITGOOD */105106} /* close namespace */107108/* Below is the main(). It is only used when building this testcase on109 its own for testing or for building a binary to use in testing binary110 analysis tools. It is not used when compiling all the testcases as one111 application, which is how source code analysis tools are tested. */112#ifdef INCLUDEMAIN113114using namespace CWE127_Buffer_Underread__new_wchar_t_memcpy_32; /* so that we can use good and bad easily */115116int main(int argc, char * argv[])117{118 /* seed randomness */119 srand( (unsigned)time(NULL) );120#ifndef OMITGOOD121 printLine("Calling good()...");122 good();123 printLine("Finished good()");124#endif /* OMITGOOD */125#ifndef OMITBAD126 printLine("Calling bad()...");127 bad();128 printLine("Finished bad()");129#endif /* OMITBAD */130 return 0;131}132133#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 2 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__CWE170_char_strncpy_15.c3Label Definition File: CWE126_Buffer_Overread__CWE170.label.xml4Template File: point-flaw-15.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Overread9 * Sinks: strncpy10 * GoodSink: Copy a string using strncpy() with explicit null termination11 * BadSink : Copy a string using strncpy() without explicit null termination12 * Flow Variant: 15 Control flow: switch(6)13 *14 * */1516#include "std_testcase.h"1718#include <wchar.h>1920#ifndef OMITBAD2122void CWE126_Buffer_Overread__CWE170_char_strncpy_15_bad()23{✓ 24 switch(6)25 {✓ 26 case 6:27 {✓ 28 char data[150], dest[100];29 /* Initialize data */✓ 30 memset(data, 'A', 149);✓ 31 data[149] = '\0';32 /* strncpy() does not null terminate if the string in the src buffer is larger than33 * the number of characters being copied to the dest buffer */✓ 34 strncpy(dest, data, 99);35 /* FLAW: do not explicitly null terminate dest after the use of strncpy() */✓ 36 printLine(dest);❗VULN37 }✗ 38 break;✓ 39 default:40 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 41 printLine("Benign, fixed string");✓ 42 break;43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* good1() changes the switch to switch(5) */51static void good1()52{53 switch(5)54 {55 case 6:56 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */57 printLine("Benign, fixed string");58 break;59 default:60 {61 char data[150], dest[100];62 /* Initialize data */63 memset(data, 'A', 149);64 data[149] = '\0';65 /* strncpy() does not null terminate if the string in the src buffer is larger than66 * the number of characters being copied to the dest buffer */67 strncpy(dest, data, 99);68 dest[99] = '\0'; /* FIX: Explicitly null terminate dest after the use of strncpy() */69 printLine(dest);70 }71 break;72 }73}7475/* good2() reverses the blocks in the switch */76static void good2()77{78 switch(6)79 {80 case 6:81 {82 char data[150], dest[100];83 /* Initialize data */84 memset(data, 'A', 149);85 data[149] = '\0';86 /* strncpy() does not null terminate if the string in the src buffer is larger than87 * the number of characters being copied to the dest buffer */88 strncpy(dest, data, 99);89 dest[99] = '\0'; /* FIX: Explicitly null terminate dest after the use of strncpy() */90 printLine(dest);91 }92 break;93 default:94 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */95 printLine("Benign, fixed string");96 break;97 }98}99100void CWE126_Buffer_Overread__CWE170_char_strncpy_15_good()101{102 good1();103 good2();104}105106#endif /* OMITGOOD */107108/* Below is the main(). It is only used when building this testcase on109 its own for testing or for building a binary to use in testing binary110 analysis tools. It is not used when compiling all the testcases as one111 application, which is how source code analysis tools are tested. */112113#ifdef INCLUDEMAIN114115int main(int argc, char * argv[])116{117 /* seed randomness */118 srand( (unsigned)time(NULL) );119#ifndef OMITGOOD120 printLine("Calling good()...");121 CWE126_Buffer_Overread__CWE170_char_strncpy_15_good();122 printLine("Finished good()");123#endif /* OMITGOOD */124#ifndef OMITBAD125 printLine("Calling bad()...");126 CWE126_Buffer_Overread__CWE170_char_strncpy_15_bad();127 printLine("Finished bad()");128#endif /* OMITBAD */129 return 0;130}131132#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_snprintf_08.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml4Template File: sources-sink-08.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: swprintf12 * BadSink : Copy data to string using swprintf13 * Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snwprintf23#else24#define SNPRINTF swprintf25#endif2627/* The two function below always return the same value, so a tool28 should be able to identify that calls to the functions will always29 return a fixed value. */30static int staticReturnsTrue()31{32 return 1;33}3435static int staticReturnsFalse()36{37 return 0;38}3940namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_snprintf_0841{4243#ifndef OMITBAD4445void bad()46{✓ 47 wchar_t * data;✓ 48 data = new wchar_t[100];✓ 49 if(staticReturnsTrue())50 {51 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 52 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 53 data[100-1] = L'\0'; /* null terminate */54 }55 {✓ 56 wchar_t dest[50] = L"";57 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 58 SNPRINTF(dest, wcslen(data), L"%s", data);❗VULN✓ 59 printWLine(data);✓ 60 delete [] data;61 }62}6364#endif /* OMITBAD */6566#ifndef OMITGOOD6768/* goodG2B1() - use goodsource and badsink by changing the staticReturnsTrue() to staticReturnsFalse() */69static void goodG2B1()70{71 wchar_t * data;72 data = new wchar_t[100];73 if(staticReturnsFalse())74 {75 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */76 printLine("Benign, fixed string");77 }78 else79 {80 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */81 wmemset(data, L'A', 50-1); /* fill with L'A's */82 data[50-1] = L'\0'; /* null terminate */83 }84 {85 wchar_t dest[50] = L"";86 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */87 SNPRINTF(dest, wcslen(data), L"%s", data);88 printWLine(data);89 delete [] data;90 }91}9293/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */94static void goodG2B2()95{96 wchar_t * data;97 data = new wchar_t[100];98 if(staticReturnsTrue())99 {100 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */101 wmemset(data, L'A', 50-1); /* fill with L'A's */102 data[50-1] = L'\0'; /* null terminate */103 }104 {105 wchar_t dest[50] = L"";106 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */107 SNPRINTF(dest, wcslen(data), L"%s", data);108 printWLine(data);109 delete [] data;110 }111}112113void good()114{115 goodG2B1();116 goodG2B2();117}118119#endif /* OMITGOOD */120121} /* close namespace */122123/* Below is the main(). It is only used when building this testcase on124 its own for testing or for building a binary to use in testing binary125 analysis tools. It is not used when compiling all the testcases as one126 application, which is how source code analysis tools are tested. */127128#ifdef INCLUDEMAIN129130using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_snprintf_08; /* so that we can use good and bad easily */131132int main(int argc, char * argv[])133{134 /* seed randomness */135 srand( (unsigned)time(NULL) );136#ifndef OMITGOOD137 printLine("Calling good()...");138 good();139 printLine("Finished good()");140#endif /* OMITGOOD */141#ifndef OMITBAD142 printLine("Calling bad()...");143 bad();144 printLine("Finished bad()");145#endif /* OMITBAD */146 return 0;147}148149#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__new_char_ncpy_33.cpp3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml4Template File: sources-sink-33.tmpl.cpp5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sinks: ncpy12 * BadSink : Copy string to data using strncpy13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE124_Buffer_Underwrite__new_char_ncpy_3322{2324#ifndef OMITBAD2526void bad()27{✓ 28 char * data;✓ 29 char * &dataRef = data;✓ 30 data = NULL;31 {✓ 32 char * dataBuffer = new char[100];✓ 33 memset(dataBuffer, 'A', 100-1);✓ 34 dataBuffer[100-1] = '\0';35 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 36 data = dataBuffer - 8;37 }38 {✓ 39 char * data = dataRef;40 {✓ 41 char source[100];✓ 42 memset(source, 'C', 100-1); /* fill with 'C's */✓ 43 source[100-1] = '\0'; /* null terminate */44 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 45 strncpy(data, source, 100-1);❗VULN46 /* Ensure the destination buffer is null terminated */✓ 47 data[100-1] = '\0';✓ 48 printLine(data);49 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location50 * returned by new [] so can't safely call delete [] on it */51 }52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* goodG2B() uses the GoodSource with the BadSink */60static void goodG2B()61{62 char * data;63 char * &dataRef = data;64 data = NULL;65 {66 char * dataBuffer = new char[100];67 memset(dataBuffer, 'A', 100-1);68 dataBuffer[100-1] = '\0';69 /* FIX: Set data pointer to the allocated memory buffer */70 data = dataBuffer;71 }72 {73 char * data = dataRef;74 {75 char source[100];76 memset(source, 'C', 100-1); /* fill with 'C's */77 source[100-1] = '\0'; /* null terminate */78 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */79 strncpy(data, source, 100-1);80 /* Ensure the destination buffer is null terminated */81 data[100-1] = '\0';82 printLine(data);83 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location84 * returned by new [] so can't safely call delete [] on it */85 }86 }87}8889void good()90{91 goodG2B();92}9394#endif /* OMITGOOD */9596} /* close namespace */9798/* Below is the main(). It is only used when building this testcase on99 its own for testing or for building a binary to use in testing binary100 analysis tools. It is not used when compiling all the testcases as one101 application, which is how source code analysis tools are tested. */102#ifdef INCLUDEMAIN103104using namespace CWE124_Buffer_Underwrite__new_char_ncpy_33; /* so that we can use good and bad easily */105106int main(int argc, char * argv[])107{108 /* seed randomness */109 srand( (unsigned)time(NULL) );110#ifndef OMITGOOD111 printLine("Calling good()...");112 good();113 printLine("Finished good()");114#endif /* OMITGOOD */115#ifndef OMITBAD116 printLine("Calling bad()...");117 bad();118 printLine("Finished bad()");119#endif /* OMITBAD */120 return 0;121}122123#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 7 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_01.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml4Template File: sources-sink-01.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sink: ncpy12 * BadSink : Copy string to data using strncpy()13 * Flow Variant: 01 Baseline14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_0127{2829#ifndef OMITBAD3031void bad()32{✓ 33 char * data;✓ 34 data = NULL;35 /* FLAW: Did not leave space for a null terminator */✓ 36 data = new char[10];37 {✓ 38 char source[10+1] = SRC_STRING;39 /* Copy length + 1 to include NUL terminator from source */40 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 41 strncpy(data, source, strlen(source) + 1);❗VULN✓ 42 printLine(data);✓ 43 delete [] data;44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B uses the GoodSource with the BadSink */52static void goodG2B()53{54 char * data;55 data = NULL;56 /* FIX: Allocate space for a null terminator */57 data = new char[10+1];58 {59 char source[10+1] = SRC_STRING;60 /* Copy length + 1 to include NUL terminator from source */61 /* POTENTIAL FLAW: data may not have enough space to hold source */62 strncpy(data, source, strlen(source) + 1);63 printLine(data);64 delete [] data;65 }66}6768void good()69{70 goodG2B();71}7273#endif /* OMITGOOD */7475} /* close namespace */7677/* Below is the main(). It is only used when building this testcase on78 its own for testing or for building a binary to use in testing binary79 analysis tools. It is not used when compiling all the testcases as one80 application, which is how source code analysis tools are tested. */8182#ifdef INCLUDEMAIN8384using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_01; /* so that we can use good and bad easily */8586int main(int argc, char * argv[])87{88 /* seed randomness */89 srand( (unsigned)time(NULL) );90#ifndef OMITGOOD91 printLine("Calling good()...");92 good();93 printLine("Finished good()");94#endif /* OMITGOOD */95#ifndef OMITBAD96 printLine("Calling bad()...");97 bad();98 printLine("Finished bad()");99#endif /* OMITBAD */100 return 0;101}102103#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cpy_18.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__src.label.xml4Template File: sources-sink-18.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: cpy12 * BadSink : Copy data to string using wcscpy13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cpy_18_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 27 data = dataBuffer;✓ 28 goto source;✓ 29source:30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 31 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 32 data[100-1] = L'\0'; /* null terminate */33 {✓ 34 wchar_t dest[50] = L"";35 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 36 wcscpy(dest, data);❗VULN✓ 37 printWLine(data);38 }39}4041#endif /* OMITBAD */4243#ifndef OMITGOOD4445/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */46static void goodG2B()47{48 wchar_t * data;49 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));50 data = dataBuffer;51 goto source;52source:53 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */54 wmemset(data, L'A', 50-1); /* fill with L'A's */55 data[50-1] = L'\0'; /* null terminate */56 {57 wchar_t dest[50] = L"";58 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */59 wcscpy(dest, data);60 printWLine(data);61 }62}6364void CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cpy_18_good()65{66 goodG2B();67}6869#endif /* OMITGOOD */7071/* Below is the main(). It is only used when building this testcase on72 * its own for testing or for building a binary to use in testing binary73 * analysis tools. It is not used when compiling all the testcases as one74 * application, which is how source code analysis tools are tested.75 */7677#ifdef INCLUDEMAIN7879int main(int argc, char * argv[])80{81 /* seed randomness */82 srand( (unsigned)time(NULL) );83#ifndef OMITGOOD84 printLine("Calling good()...");85 CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cpy_18_good();86 printLine("Finished good()");87#endif /* OMITGOOD */88#ifndef OMITBAD89 printLine("Calling bad()...");90 CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cpy_18_bad();91 printLine("Finished bad()");92#endif /* OMITBAD */93 return 0;94}9596#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__char_declare_memmove_01.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-01.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 01 Baseline14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__char_declare_memmove_01_bad()24{✓ 25 char * data;✓ 26 char dataBuffer[100];✓ 27 memset(dataBuffer, 'A', 100-1);✓ 28 dataBuffer[100-1] = '\0';29 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 30 data = dataBuffer - 8;31 {✓ 32 char dest[100];✓ 33 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 34 dest[100-1] = '\0'; /* null terminate */35 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 36 memmove(dest, data, 100*sizeof(char));❗VULN37 /* Ensure null termination */✓ 38 dest[100-1] = '\0';✓ 39 printLine(dest);40 }41}4243#endif /* OMITBAD */4445#ifndef OMITGOOD4647/* goodG2B uses the GoodSource with the BadSink */48static void goodG2B()49{50 char * data;51 char dataBuffer[100];52 memset(dataBuffer, 'A', 100-1);53 dataBuffer[100-1] = '\0';54 /* FIX: Set data pointer to the allocated memory buffer */55 data = dataBuffer;56 {57 char dest[100];58 memset(dest, 'C', 100-1); /* fill with 'C's */59 dest[100-1] = '\0'; /* null terminate */60 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */61 memmove(dest, data, 100*sizeof(char));62 /* Ensure null termination */63 dest[100-1] = '\0';64 printLine(dest);65 }66}6768void CWE127_Buffer_Underread__char_declare_memmove_01_good()69{70 goodG2B();71}7273#endif /* OMITGOOD */7475/* Below is the main(). It is only used when building this testcase on76 * its own for testing or for building a binary to use in testing binary77 * analysis tools. It is not used when compiling all the testcases as one78 * application, which is how source code analysis tools are tested.79 */8081#ifdef INCLUDEMAIN8283int main(int argc, char * argv[])84{85 /* seed randomness */86 srand( (unsigned)time(NULL) );87#ifndef OMITGOOD88 printLine("Calling good()...");89 CWE127_Buffer_Underread__char_declare_memmove_01_good();90 printLine("Finished good()");91#endif /* OMITGOOD */92#ifndef OMITBAD93 printLine("Calling bad()...");94 CWE127_Buffer_Underread__char_declare_memmove_01_bad();95 printLine("Finished bad()");96#endif /* OMITBAD */97 return 0;98}99100#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_alloca_cpy_07.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: cpy12 * BadSink : Copy string to data using strcpy13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is not declared "const", but is never assigned22 * any other value so a tool should be able to identify that reads of23 * this will always give its initialized value.24 */25static int staticFive = 5;2627#ifndef OMITBAD2829void CWE121_Stack_Based_Buffer_Overflow__dest_char_alloca_cpy_07_bad()30{✓ 31 char * data;✓ 32 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));✓ 33 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));✓ 34 if(staticFive==5)35 {36 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination37 * buffer in various memory copying functions using a "large" source buffer. */✓ 38 data = dataBadBuffer;✓ 39 data[0] = '\0'; /* null terminate */40 }41 {✓ 42 char source[100];✓ 43 memset(source, 'C', 100-1); /* fill with 'C's */✓ 44 source[100-1] = '\0'; /* null terminate */45 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 46 strcpy(data, source);❗VULN✓ 47 printLine(data);48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */56static void goodG2B1()57{58 char * data;59 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));60 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));61 if(staticFive!=5)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */69 data = dataGoodBuffer;70 data[0] = '\0'; /* null terminate */71 }72 {73 char source[100];74 memset(source, 'C', 100-1); /* fill with 'C's */75 source[100-1] = '\0'; /* null terminate */76 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */77 strcpy(data, source);78 printLine(data);79 }80}8182/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */83static void goodG2B2()84{85 char * data;86 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));87 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));88 if(staticFive==5)89 {90 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */91 data = dataGoodBuffer;92 data[0] = '\0'; /* null terminate */93 }94 {95 char source[100];96 memset(source, 'C', 100-1); /* fill with 'C's */97 source[100-1] = '\0'; /* null terminate */98 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */99 strcpy(data, source);100 printLine(data);101 }102}103104void CWE121_Stack_Based_Buffer_Overflow__dest_char_alloca_cpy_07_good()105{106 goodG2B1();107 goodG2B2();108}109110#endif /* OMITGOOD */111112/* Below is the main(). It is only used when building this testcase on113 * its own for testing or for building a binary to use in testing binary114 * analysis tools. It is not used when compiling all the testcases as one115 * application, which is how source code analysis tools are tested.116 */117118#ifdef INCLUDEMAIN119120int main(int argc, char * argv[])121{122 /* seed randomness */123 srand( (unsigned)time(NULL) );124#ifndef OMITGOOD125 printLine("Calling good()...");126 CWE121_Stack_Based_Buffer_Overflow__dest_char_alloca_cpy_07_good();127 printLine("Finished good()");128#endif /* OMITGOOD */129#ifndef OMITBAD130 printLine("Calling bad()...");131 CWE121_Stack_Based_Buffer_Overflow__dest_char_alloca_cpy_07_bad();132 printLine("Finished bad()");133#endif /* OMITBAD */134 return 0;135}136137#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_wchar_t_ncpy_02.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-02.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: ncpy12 * BadSink : Copy data to string using wcsncpy13 * Flow Variant: 02 Control flow: if(1) and if(0)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__malloc_wchar_t_ncpy_02_bad()24{✓ 25 wchar_t * data;✓ 26 data = NULL;✓ 27 if(1)28 {29 {✓ 30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 31 if (dataBuffer == NULL) {exit(-1);}✓ 32 wmemset(dataBuffer, L'A', 100-1);✓ 33 dataBuffer[100-1] = L'\0';34 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 35 data = dataBuffer - 8;36 }37 }38 {✓ 39 wchar_t dest[100];✓ 40 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 41 dest[100-1] = L'\0'; /* null terminate */42 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 43 wcsncpy(dest, data, wcslen(dest));❗VULN44 /* Ensure null termination */✓ 45 dest[100-1] = L'\0';✓ 46 printWLine(dest);47 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location48 * returned by malloc() so can't safely call free() on it */49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */57static void goodG2B1()58{59 wchar_t * data;60 data = NULL;61 if(0)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 {69 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));70 if (dataBuffer == NULL) {exit(-1);}71 wmemset(dataBuffer, L'A', 100-1);72 dataBuffer[100-1] = L'\0';73 /* FIX: Set data pointer to the allocated memory buffer */74 data = dataBuffer;75 }76 }77 {78 wchar_t dest[100];79 wmemset(dest, L'C', 100-1); /* fill with 'C's */80 dest[100-1] = L'\0'; /* null terminate */81 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */82 wcsncpy(dest, data, wcslen(dest));83 /* Ensure null termination */84 dest[100-1] = L'\0';85 printWLine(dest);86 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location87 * returned by malloc() so can't safely call free() on it */88 }89}9091/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */92static void goodG2B2()93{94 wchar_t * data;95 data = NULL;96 if(1)97 {98 {99 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));100 if (dataBuffer == NULL) {exit(-1);}101 wmemset(dataBuffer, L'A', 100-1);102 dataBuffer[100-1] = L'\0';103 /* FIX: Set data pointer to the allocated memory buffer */104 data = dataBuffer;105 }106 }107 {108 wchar_t dest[100];109 wmemset(dest, L'C', 100-1); /* fill with 'C's */110 dest[100-1] = L'\0'; /* null terminate */111 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */112 wcsncpy(dest, data, wcslen(dest));113 /* Ensure null termination */114 dest[100-1] = L'\0';115 printWLine(dest);116 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location117 * returned by malloc() so can't safely call free() on it */118 }119}120121void CWE127_Buffer_Underread__malloc_wchar_t_ncpy_02_good()122{123 goodG2B1();124 goodG2B2();125}126127#endif /* OMITGOOD */128129/* Below is the main(). It is only used when building this testcase on130 * its own for testing or for building a binary to use in testing binary131 * analysis tools. It is not used when compiling all the testcases as one132 * application, which is how source code analysis tools are tested.133 */134135#ifdef INCLUDEMAIN136137int main(int argc, char * argv[])138{139 /* seed randomness */140 srand( (unsigned)time(NULL) );141#ifndef OMITGOOD142 printLine("Calling good()...");143 CWE127_Buffer_Underread__malloc_wchar_t_ncpy_02_good();144 printLine("Finished good()");145#endif /* OMITGOOD */146#ifndef OMITBAD147 printLine("Calling bad()...");148 CWE127_Buffer_Underread__malloc_wchar_t_ncpy_02_bad();149 printLine("Finished bad()");150#endif /* OMITBAD */151 return 0;152}153154#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memcpy_05.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-05.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are not defined as "const", but are never22 * assigned any other value, so a tool should be able to identify that23 * reads of these will always return their initialized values.24 */25static int staticTrue = 1; /* true */26static int staticFalse = 0; /* false */2728#ifndef OMITBAD2930void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memcpy_05_bad()31{✓ 32 char * data;✓ 33 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));✓ 34 data = dataBuffer;✓ 35 if(staticTrue)36 {37 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 38 memset(data, 'A', 100-1); /* fill with 'A's */✓ 39 data[100-1] = '\0'; /* null terminate */40 }41 {✓ 42 char dest[50] = "";43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 44 memcpy(dest, data, strlen(data)*sizeof(char));❗VULN✓ 45 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 46 printLine(data);47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */55static void goodG2B1()56{57 char * data;58 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));59 data = dataBuffer;60 if(staticFalse)61 {62 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */63 printLine("Benign, fixed string");64 }65 else66 {67 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */68 memset(data, 'A', 50-1); /* fill with 'A's */69 data[50-1] = '\0'; /* null terminate */70 }71 {72 char dest[50] = "";73 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */74 memcpy(dest, data, strlen(data)*sizeof(char));75 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */76 printLine(data);77 }78}7980/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */81static void goodG2B2()82{83 char * data;84 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));85 data = dataBuffer;86 if(staticTrue)87 {88 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */89 memset(data, 'A', 50-1); /* fill with 'A's */90 data[50-1] = '\0'; /* null terminate */91 }92 {93 char dest[50] = "";94 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */95 memcpy(dest, data, strlen(data)*sizeof(char));96 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */97 printLine(data);98 }99}100101void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memcpy_05_good()102{103 goodG2B1();104 goodG2B2();105}106107#endif /* OMITGOOD */108109/* Below is the main(). It is only used when building this testcase on110 * its own for testing or for building a binary to use in testing binary111 * analysis tools. It is not used when compiling all the testcases as one112 * application, which is how source code analysis tools are tested.113 */114115#ifdef INCLUDEMAIN116117int main(int argc, char * argv[])118{119 /* seed randomness */120 srand( (unsigned)time(NULL) );121#ifndef OMITGOOD122 printLine("Calling good()...");123 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memcpy_05_good();124 printLine("Finished good()");125#endif /* OMITGOOD */126#ifndef OMITBAD127 printLine("Calling bad()...");128 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memcpy_05_bad();129 printLine("Finished bad()");130#endif /* OMITBAD */131 return 0;132}133134#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_10.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-10.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: loop12 * BadSink : Copy int64_t array to data using a loop13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_10_bad()22{✓ 23 int64_t * data;✓ 24 int64_t dataBadBuffer[50];✓ 25 int64_t dataGoodBuffer[100];✓ 26 if(globalTrue)27 {28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination29 * buffer in various memory copying functions using a "large" source buffer. */✓ 30 data = dataBadBuffer;31 }32 {✓ 33 int64_t source[100] = {0}; /* fill with 0's */34 {✓ 35 size_t i;36 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 37 for (i = 0; i < 100; i++)38 {✓ 39 data[i] = source[i];❗VULN40 }✓ 41 printLongLongLine(data[0]);42 }43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */51static void goodG2B1()52{53 int64_t * data;54 int64_t dataBadBuffer[50];55 int64_t dataGoodBuffer[100];56 if(globalFalse)57 {58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */59 printLine("Benign, fixed string");60 }61 else62 {63 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */64 data = dataGoodBuffer;65 }66 {67 int64_t source[100] = {0}; /* fill with 0's */68 {69 size_t i;70 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */71 for (i = 0; i < 100; i++)72 {73 data[i] = source[i];74 }75 printLongLongLine(data[0]);76 }77 }78}7980/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */81static void goodG2B2()82{83 int64_t * data;84 int64_t dataBadBuffer[50];85 int64_t dataGoodBuffer[100];86 if(globalTrue)87 {88 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */89 data = dataGoodBuffer;90 }91 {92 int64_t source[100] = {0}; /* fill with 0's */93 {94 size_t i;95 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */96 for (i = 0; i < 100; i++)97 {98 data[i] = source[i];99 }100 printLongLongLine(data[0]);101 }102 }103}104105void CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_10_good()106{107 goodG2B1();108 goodG2B2();109}110111#endif /* OMITGOOD */112113/* Below is the main(). It is only used when building this testcase on114 * its own for testing or for building a binary to use in testing binary115 * analysis tools. It is not used when compiling all the testcases as one116 * application, which is how source code analysis tools are tested.117 */118119#ifdef INCLUDEMAIN120121int main(int argc, char * argv[])122{123 /* seed randomness */124 srand( (unsigned)time(NULL) );125#ifndef OMITGOOD126 printLine("Calling good()...");127 CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_10_good();128 printLine("Finished good()");129#endif /* OMITGOOD */130#ifndef OMITBAD131 printLine("Calling bad()...");132 CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_10_bad();133 printLine("Finished bad()");134#endif /* OMITBAD */135 return 0;136}137138#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 20 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__malloc_wchar_t_loop_09.c3Label Definition File: CWE126_Buffer_Overread__malloc.label.xml4Template File: sources-sink-09.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Use a small buffer10 * GoodSource: Use a large buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE126_Buffer_Overread__malloc_wchar_t_loop_09_bad()24{✓ 25 wchar_t * data;✓ 26 data = NULL;✓ 27 if(GLOBAL_CONST_TRUE)28 {29 /* FLAW: Use a small buffer */✓ 30 data = (wchar_t *)malloc(50*sizeof(wchar_t));✓ 31 if (data == NULL) {exit(-1);}✓ 32 wmemset(data, L'A', 50-1); /* fill with 'A's */✓ 33 data[50-1] = L'\0'; /* null terminate */34 }35 {✓ 36 size_t i, destLen;✓ 37 wchar_t dest[100];✓ 38 wmemset(dest, L'C', 100-1);✓ 39 dest[100-1] = L'\0'; /* null terminate */✓ 40 destLen = wcslen(dest);41 /* POTENTIAL FLAW: using length of the dest where data42 * could be smaller than dest causing buffer overread */✓ 43 for (i = 0; i < destLen; i++)44 {✓ 45 dest[i] = data[i];❗VULN46 }✓ 47 dest[100-1] = L'\0';✓ 48 printWLine(dest);✓ 49 free(data);50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */58static void goodG2B1()59{60 wchar_t * data;61 data = NULL;62 if(GLOBAL_CONST_FALSE)63 {64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */65 printLine("Benign, fixed string");66 }67 else68 {69 /* FIX: Use a large buffer */70 data = (wchar_t *)malloc(100*sizeof(wchar_t));71 if (data == NULL) {exit(-1);}72 wmemset(data, L'A', 100-1); /* fill with 'A's */73 data[100-1] = L'\0'; /* null terminate */74 }75 {76 size_t i, destLen;77 wchar_t dest[100];78 wmemset(dest, L'C', 100-1);79 dest[100-1] = L'\0'; /* null terminate */80 destLen = wcslen(dest);81 /* POTENTIAL FLAW: using length of the dest where data82 * could be smaller than dest causing buffer overread */83 for (i = 0; i < destLen; i++)84 {85 dest[i] = data[i];86 }87 dest[100-1] = L'\0';88 printWLine(dest);89 free(data);90 }91}9293/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */94static void goodG2B2()95{96 wchar_t * data;97 data = NULL;98 if(GLOBAL_CONST_TRUE)99 {100 /* FIX: Use a large buffer */101 data = (wchar_t *)malloc(100*sizeof(wchar_t));102 if (data == NULL) {exit(-1);}103 wmemset(data, L'A', 100-1); /* fill with 'A's */104 data[100-1] = L'\0'; /* null terminate */105 }106 {107 size_t i, destLen;108 wchar_t dest[100];109 wmemset(dest, L'C', 100-1);110 dest[100-1] = L'\0'; /* null terminate */111 destLen = wcslen(dest);112 /* POTENTIAL FLAW: using length of the dest where data113 * could be smaller than dest causing buffer overread */114 for (i = 0; i < destLen; i++)115 {116 dest[i] = data[i];117 }118 dest[100-1] = L'\0';119 printWLine(dest);120 free(data);121 }122}123124void CWE126_Buffer_Overread__malloc_wchar_t_loop_09_good()125{126 goodG2B1();127 goodG2B2();128}129130#endif /* OMITGOOD */131132/* Below is the main(). It is only used when building this testcase on133 * its own for testing or for building a binary to use in testing binary134 * analysis tools. It is not used when compiling all the testcases as one135 * application, which is how source code analysis tools are tested.136 */137138#ifdef INCLUDEMAIN139140int main(int argc, char * argv[])141{142 /* seed randomness */143 srand( (unsigned)time(NULL) );144#ifndef OMITGOOD145 printLine("Calling good()...");146 CWE126_Buffer_Overread__malloc_wchar_t_loop_09_good();147 printLine("Finished good()");148#endif /* OMITGOOD */149#ifndef OMITBAD150 printLine("Calling bad()...");151 CWE126_Buffer_Overread__malloc_wchar_t_loop_09_bad();152 printLine("Finished bad()");153#endif /* OMITBAD */154 return 0;155}156157#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__wchar_t_alloca_memmove_04.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-04.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are declared "const", so a tool should22 * be able to identify that reads of these will always return their23 * initialized values.24 */25static const int STATIC_CONST_TRUE = 1; /* true */26static const int STATIC_CONST_FALSE = 0; /* false */2728#ifndef OMITBAD2930void CWE127_Buffer_Underread__wchar_t_alloca_memmove_04_bad()31{✓ 32 wchar_t * data;✓ 33 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 34 wmemset(dataBuffer, L'A', 100-1);✓ 35 dataBuffer[100-1] = L'\0';✓ 36 if(STATIC_CONST_TRUE)37 {38 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 39 data = dataBuffer - 8;40 }41 {✓ 42 wchar_t dest[100];✓ 43 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 44 dest[100-1] = L'\0'; /* null terminate */45 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 46 memmove(dest, data, 100*sizeof(wchar_t));❗VULN47 /* Ensure null termination */✓ 48 dest[100-1] = L'\0';✓ 49 printWLine(dest);50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */58static void goodG2B1()59{60 wchar_t * data;61 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));62 wmemset(dataBuffer, L'A', 100-1);63 dataBuffer[100-1] = L'\0';64 if(STATIC_CONST_FALSE)65 {66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */67 printLine("Benign, fixed string");68 }69 else70 {71 /* FIX: Set data pointer to the allocated memory buffer */72 data = dataBuffer;73 }74 {75 wchar_t dest[100];76 wmemset(dest, L'C', 100-1); /* fill with 'C's */77 dest[100-1] = L'\0'; /* null terminate */78 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */79 memmove(dest, data, 100*sizeof(wchar_t));80 /* Ensure null termination */81 dest[100-1] = L'\0';82 printWLine(dest);83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 wchar_t * data;90 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));91 wmemset(dataBuffer, L'A', 100-1);92 dataBuffer[100-1] = L'\0';93 if(STATIC_CONST_TRUE)94 {95 /* FIX: Set data pointer to the allocated memory buffer */96 data = dataBuffer;97 }98 {99 wchar_t dest[100];100 wmemset(dest, L'C', 100-1); /* fill with 'C's */101 dest[100-1] = L'\0'; /* null terminate */102 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */103 memmove(dest, data, 100*sizeof(wchar_t));104 /* Ensure null termination */105 dest[100-1] = L'\0';106 printWLine(dest);107 }108}109110void CWE127_Buffer_Underread__wchar_t_alloca_memmove_04_good()111{112 goodG2B1();113 goodG2B2();114}115116#endif /* OMITGOOD */117118/* Below is the main(). It is only used when building this testcase on119 * its own for testing or for building a binary to use in testing binary120 * analysis tools. It is not used when compiling all the testcases as one121 * application, which is how source code analysis tools are tested.122 */123124#ifdef INCLUDEMAIN125126int main(int argc, char * argv[])127{128 /* seed randomness */129 srand( (unsigned)time(NULL) );130#ifndef OMITGOOD131 printLine("Calling good()...");132 CWE127_Buffer_Underread__wchar_t_alloca_memmove_04_good();133 printLine("Finished good()");134#endif /* OMITGOOD */135#ifndef OMITBAD136 printLine("Calling bad()...");137 CWE127_Buffer_Underread__wchar_t_alloca_memmove_04_bad();138 printLine("Finished bad()");139#endif /* OMITBAD */140 return 0;141}142143#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 37 | Sink Nodes: 2 predicted, 2 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* Error: Could not load file CWE123_Write_What_Where_Condition__connect_socket_16.c: File CWE123_Write_What_Where_Condition__connect_socket_16.c not found in any subfolder of /home/nimana11/Thesis/codes/VulExplainerExp-84ED_2/datasets/buffer overflow/function/testcases/CWE123_Write_What_Where_Condition */
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__wchar_t_alloca_cpy_13.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-13.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: cpy12 * BadSink : Copy data to string using wcscpy13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__wchar_t_alloca_cpy_13_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 27 wmemset(dataBuffer, L'A', 100-1);✓ 28 dataBuffer[100-1] = L'\0';✓ 29 if(GLOBAL_CONST_FIVE==5)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;33 }34 {✓ 35 wchar_t dest[100*2];✓ 36 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */✓ 37 dest[100*2-1] = L'\0'; /* null terminate */38 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 39 wcscpy(dest, data);❗VULN✓ 40 printWLine(dest);41 }42}4344#endif /* OMITBAD */4546#ifndef OMITGOOD4748/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */49static void goodG2B1()50{51 wchar_t * data;52 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));53 wmemset(dataBuffer, L'A', 100-1);54 dataBuffer[100-1] = L'\0';55 if(GLOBAL_CONST_FIVE!=5)56 {57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */58 printLine("Benign, fixed string");59 }60 else61 {62 /* FIX: Set data pointer to the allocated memory buffer */63 data = dataBuffer;64 }65 {66 wchar_t dest[100*2];67 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */68 dest[100*2-1] = L'\0'; /* null terminate */69 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */70 wcscpy(dest, data);71 printWLine(dest);72 }73}7475/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */76static void goodG2B2()77{78 wchar_t * data;79 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));80 wmemset(dataBuffer, L'A', 100-1);81 dataBuffer[100-1] = L'\0';82 if(GLOBAL_CONST_FIVE==5)83 {84 /* FIX: Set data pointer to the allocated memory buffer */85 data = dataBuffer;86 }87 {88 wchar_t dest[100*2];89 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */90 dest[100*2-1] = L'\0'; /* null terminate */91 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */92 wcscpy(dest, data);93 printWLine(dest);94 }95}9697void CWE127_Buffer_Underread__wchar_t_alloca_cpy_13_good()98{99 goodG2B1();100 goodG2B2();101}102103#endif /* OMITGOOD */104105/* Below is the main(). It is only used when building this testcase on106 * its own for testing or for building a binary to use in testing binary107 * analysis tools. It is not used when compiling all the testcases as one108 * application, which is how source code analysis tools are tested.109 */110111#ifdef INCLUDEMAIN112113int main(int argc, char * argv[])114{115 /* seed randomness */116 srand( (unsigned)time(NULL) );117#ifndef OMITGOOD118 printLine("Calling good()...");119 CWE127_Buffer_Underread__wchar_t_alloca_cpy_13_good();120 printLine("Finished good()");121#endif /* OMITGOOD */122#ifndef OMITBAD123 printLine("Calling bad()...");124 CWE127_Buffer_Underread__wchar_t_alloca_cpy_13_bad();125 printLine("Finished bad()");126#endif /* OMITBAD */127 return 0;128}129130#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 25 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__char_alloca_loop_15.c3Label Definition File: CWE126_Buffer_Overread.stack.label.xml4Template File: sources-sink-15.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Set data pointer to a small buffer10 * GoodSource: Set data pointer to a large buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 15 Control flow: switch(6)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE126_Buffer_Overread__char_alloca_loop_15_bad()24{✓ 25 char * data;✓ 26 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));✓ 27 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));✓ 28 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */✓ 29 dataBadBuffer[50-1] = '\0'; /* null terminate */✓ 30 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */✓ 31 dataGoodBuffer[100-1] = '\0'; /* null terminate */✓ 32 switch(6)33 {✓ 34 case 6:35 /* FLAW: Set data pointer to a small buffer */✓ 36 data = dataBadBuffer;✓ 37 break;✓ 38 default:39 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 40 printLine("Benign, fixed string");✓ 41 break;42 }43 {✓ 44 size_t i, destLen;✓ 45 char dest[100];✓ 46 memset(dest, 'C', 100-1);✓ 47 dest[100-1] = '\0'; /* null terminate */✓ 48 destLen = strlen(dest);49 /* POTENTIAL FLAW: using length of the dest where data50 * could be smaller than dest causing buffer overread */✓ 51 for (i = 0; i < destLen; i++)52 {✓ 53 dest[i] = data[i];❗VULN54 }✓ 55 dest[100-1] = '\0';✓ 56 printLine(dest);57 }58}5960#endif /* OMITBAD */6162#ifndef OMITGOOD6364/* goodG2B1() - use goodsource and badsink by changing the switch to switch(5) */65static void goodG2B1()66{67 char * data;68 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));69 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));70 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */71 dataBadBuffer[50-1] = '\0'; /* null terminate */72 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */73 dataGoodBuffer[100-1] = '\0'; /* null terminate */74 switch(5)75 {76 case 6:77 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */78 printLine("Benign, fixed string");79 break;80 default:81 /* FIX: Set data pointer to a large buffer */82 data = dataGoodBuffer;83 break;84 }85 {86 size_t i, destLen;87 char dest[100];88 memset(dest, 'C', 100-1);89 dest[100-1] = '\0'; /* null terminate */90 destLen = strlen(dest);91 /* POTENTIAL FLAW: using length of the dest where data92 * could be smaller than dest causing buffer overread */93 for (i = 0; i < destLen; i++)94 {95 dest[i] = data[i];96 }97 dest[100-1] = '\0';98 printLine(dest);99 }100}101102/* goodG2B2() - use goodsource and badsink by reversing the blocks in the switch */103static void goodG2B2()104{105 char * data;106 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));107 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));108 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */109 dataBadBuffer[50-1] = '\0'; /* null terminate */110 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */111 dataGoodBuffer[100-1] = '\0'; /* null terminate */112 switch(6)113 {114 case 6:115 /* FIX: Set data pointer to a large buffer */116 data = dataGoodBuffer;117 break;118 default:119 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */120 printLine("Benign, fixed string");121 break;122 }123 {124 size_t i, destLen;125 char dest[100];126 memset(dest, 'C', 100-1);127 dest[100-1] = '\0'; /* null terminate */128 destLen = strlen(dest);129 /* POTENTIAL FLAW: using length of the dest where data130 * could be smaller than dest causing buffer overread */131 for (i = 0; i < destLen; i++)132 {133 dest[i] = data[i];134 }135 dest[100-1] = '\0';136 printLine(dest);137 }138}139140void CWE126_Buffer_Overread__char_alloca_loop_15_good()141{142 goodG2B1();143 goodG2B2();144}145146#endif /* OMITGOOD */147148/* Below is the main(). It is only used when building this testcase on149 * its own for testing or for building a binary to use in testing binary150 * analysis tools. It is not used when compiling all the testcases as one151 * application, which is how source code analysis tools are tested.152 */153154#ifdef INCLUDEMAIN155156int main(int argc, char * argv[])157{158 /* seed randomness */159 srand( (unsigned)time(NULL) );160#ifndef OMITGOOD161 printLine("Calling good()...");162 CWE126_Buffer_Overread__char_alloca_loop_15_good();163 printLine("Finished good()");164#endif /* OMITGOOD */165#ifndef OMITBAD166 printLine("Calling bad()...");167 CWE126_Buffer_Overread__char_alloca_loop_15_bad();168 printLine("Finished bad()");169#endif /* OMITBAD */170 return 0;171}172173#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_18.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.label.xml4Template File: sources-sink-18.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: memcpy12 * BadSink : Copy int64_t array to data using memcpy13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_1820{2122#ifndef OMITBAD2324void bad()25{✓ 26 int64_t * data;✓ 27 data = NULL;✓ 28 goto source;✓ 29source:30 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 31 data = new int64_t[50];32 {✓ 33 int64_t source[100] = {0}; /* fill with 0's */34 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 35 memcpy(data, source, 100*sizeof(int64_t));❗VULN✓ 36 printLongLongLine(data[0]);✓ 37 delete [] data;38 }39}4041#endif /* OMITBAD */4243#ifndef OMITGOOD4445/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */46static void goodG2B()47{48 int64_t * data;49 data = NULL;50 goto source;51source:52 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */53 data = new int64_t[100];54 {55 int64_t source[100] = {0}; /* fill with 0's */56 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */57 memcpy(data, source, 100*sizeof(int64_t));58 printLongLongLine(data[0]);59 delete [] data;60 }61}6263void good()64{65 goodG2B();66}6768#endif /* OMITGOOD */6970} /* close namespace */7172/* Below is the main(). It is only used when building this testcase on73 its own for testing or for building a binary to use in testing binary74 analysis tools. It is not used when compiling all the testcases as one75 application, which is how source code analysis tools are tested. */7677#ifdef INCLUDEMAIN7879using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_18; /* so that we can use good and bad easily */8081int main(int argc, char * argv[])82{83 /* seed randomness */84 srand( (unsigned)time(NULL) );85#ifndef OMITGOOD86 printLine("Calling good()...");87 good();88 printLine("Finished good()");89#endif /* OMITGOOD */90#ifndef OMITBAD91 printLine("Calling bad()...");92 bad();93 printLine("Finished bad()");94#endif /* OMITBAD */95 return 0;96}9798#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_09.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-09.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: memcpy12 * BadSink : Copy twoIntsStruct array to data using memcpy13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_09_bad()22{✓ 23 twoIntsStruct * data;✓ 24 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));✓ 25 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));✓ 26 if(GLOBAL_CONST_TRUE)27 {28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination29 * buffer in various memory copying functions using a "large" source buffer. */✓ 30 data = dataBadBuffer;31 }32 {✓ 33 twoIntsStruct source[100];34 {✓ 35 size_t i;36 /* Initialize array */✓ 37 for (i = 0; i < 100; i++)38 {✓ 39 source[i].intOne = 0;✓ 40 source[i].intTwo = 0;41 }42 }43 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 44 memcpy(data, source, 100*sizeof(twoIntsStruct));❗VULN✓ 45 printStructLine(&data[0]);46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */54static void goodG2B1()55{56 twoIntsStruct * data;57 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));58 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));59 if(GLOBAL_CONST_FALSE)60 {61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */62 printLine("Benign, fixed string");63 }64 else65 {66 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */67 data = dataGoodBuffer;68 }69 {70 twoIntsStruct source[100];71 {72 size_t i;73 /* Initialize array */74 for (i = 0; i < 100; i++)75 {76 source[i].intOne = 0;77 source[i].intTwo = 0;78 }79 }80 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */81 memcpy(data, source, 100*sizeof(twoIntsStruct));82 printStructLine(&data[0]);83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 twoIntsStruct * data;90 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));91 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));92 if(GLOBAL_CONST_TRUE)93 {94 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */95 data = dataGoodBuffer;96 }97 {98 twoIntsStruct source[100];99 {100 size_t i;101 /* Initialize array */102 for (i = 0; i < 100; i++)103 {104 source[i].intOne = 0;105 source[i].intTwo = 0;106 }107 }108 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */109 memcpy(data, source, 100*sizeof(twoIntsStruct));110 printStructLine(&data[0]);111 }112}113114void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_09_good()115{116 goodG2B1();117 goodG2B2();118}119120#endif /* OMITGOOD */121122/* Below is the main(). It is only used when building this testcase on123 * its own for testing or for building a binary to use in testing binary124 * analysis tools. It is not used when compiling all the testcases as one125 * application, which is how source code analysis tools are tested.126 */127128#ifdef INCLUDEMAIN129130int main(int argc, char * argv[])131{132 /* seed randomness */133 srand( (unsigned)time(NULL) );134#ifndef OMITGOOD135 printLine("Calling good()...");136 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_09_good();137 printLine("Finished good()");138#endif /* OMITGOOD */139#ifndef OMITBAD140 printLine("Calling bad()...");141 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_09_bad();142 printLine("Finished bad()");143#endif /* OMITBAD */144 return 0;145}146147#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__new_char_memcpy_07.cpp3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml4Template File: sources-sink-07.tmpl.cpp5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is not declared "const", but is never assigned22 any other value so a tool should be able to identify that reads of23 this will always give its initialized value. */24static int staticFive = 5;2526namespace CWE124_Buffer_Underwrite__new_char_memcpy_0727{2829#ifndef OMITBAD3031void bad()32{✓ 33 char * data;✓ 34 data = NULL;✓ 35 if(staticFive==5)36 {37 {✓ 38 char * dataBuffer = new char[100];✓ 39 memset(dataBuffer, 'A', 100-1);✓ 40 dataBuffer[100-1] = '\0';41 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 42 data = dataBuffer - 8;43 }44 }45 {✓ 46 char source[100];✓ 47 memset(source, 'C', 100-1); /* fill with 'C's */✓ 48 source[100-1] = '\0'; /* null terminate */49 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 50 memcpy(data, source, 100*sizeof(char));❗VULN51 /* Ensure the destination buffer is null terminated */✓ 52 data[100-1] = '\0';✓ 53 printLine(data);54 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location55 * returned by new [] so can't safely call delete [] on it */56 }57}5859#endif /* OMITBAD */6061#ifndef OMITGOOD6263/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */64static void goodG2B1()65{66 char * data;67 data = NULL;68 if(staticFive!=5)69 {70 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */71 printLine("Benign, fixed string");72 }73 else74 {75 {76 char * dataBuffer = new char[100];77 memset(dataBuffer, 'A', 100-1);78 dataBuffer[100-1] = '\0';79 /* FIX: Set data pointer to the allocated memory buffer */80 data = dataBuffer;81 }82 }83 {84 char source[100];85 memset(source, 'C', 100-1); /* fill with 'C's */86 source[100-1] = '\0'; /* null terminate */87 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */88 memcpy(data, source, 100*sizeof(char));89 /* Ensure the destination buffer is null terminated */90 data[100-1] = '\0';91 printLine(data);92 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location93 * returned by new [] so can't safely call delete [] on it */94 }95}9697/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */98static void goodG2B2()99{100 char * data;101 data = NULL;102 if(staticFive==5)103 {104 {105 char * dataBuffer = new char[100];106 memset(dataBuffer, 'A', 100-1);107 dataBuffer[100-1] = '\0';108 /* FIX: Set data pointer to the allocated memory buffer */109 data = dataBuffer;110 }111 }112 {113 char source[100];114 memset(source, 'C', 100-1); /* fill with 'C's */115 source[100-1] = '\0'; /* null terminate */116 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */117 memcpy(data, source, 100*sizeof(char));118 /* Ensure the destination buffer is null terminated */119 data[100-1] = '\0';120 printLine(data);121 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location122 * returned by new [] so can't safely call delete [] on it */123 }124}125126void good()127{128 goodG2B1();129 goodG2B2();130}131132#endif /* OMITGOOD */133134} /* close namespace */135136/* Below is the main(). It is only used when building this testcase on137 its own for testing or for building a binary to use in testing binary138 analysis tools. It is not used when compiling all the testcases as one139 application, which is how source code analysis tools are tested. */140141#ifdef INCLUDEMAIN142143using namespace CWE124_Buffer_Underwrite__new_char_memcpy_07; /* so that we can use good and bad easily */144145int main(int argc, char * argv[])146{147 /* seed randomness */148 srand( (unsigned)time(NULL) );149#ifndef OMITGOOD150 printLine("Calling good()...");151 good();152 printLine("Finished good()");153#endif /* OMITGOOD */154#ifndef OMITBAD155 printLine("Calling bad()...");156 bad();157 printLine("Finished bad()");158#endif /* OMITBAD */159 return 0;160}161162#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 7 | Sink Nodes: 2 predicted, 2 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__CWE170_char_memcpy_18.c3Label Definition File: CWE126_Buffer_Overread__CWE170.label.xml4Template File: point-flaw-18.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Overread9 * Sinks: memcpy10 * GoodSink: Copy a string using memcpy with explicit null termination11 * BadSink : Copy a string using memcpy without explicit null termination12 * Flow Variant: 18 Control flow: goto statements13 *14 * */1516#include "std_testcase.h"1718#include <wchar.h>1920#ifndef OMITBAD2122void CWE126_Buffer_Overread__CWE170_char_memcpy_18_bad()23{✓ 24 goto sink;✓ 25sink:26 {✓ 27 char data[150], dest[100];28 /* Initialize data */✓ 29 memset(data, 'A', 149);✓ 30 data[149] = '\0';✓ 31 memcpy(dest, data, 99*sizeof(char));❗VULN32 /* FLAW: do not explicitly null terminate dest after the use of memcpy */✓ 33 printLine(dest);❗VULN34 }35}3637#endif /* OMITBAD */3839#ifndef OMITGOOD4041/* good1() reverses the blocks on the goto statement */42static void good1()43{44 goto sink;45sink:46 {47 char data[150], dest[100];48 /* Initialize data */49 memset(data, 'A', 149);50 data[149] = '\0';51 memcpy(dest, data, 99*sizeof(char));52 dest[99] = '\0'; /* FIX: null terminate dest */53 printLine(dest);54 }55}5657void CWE126_Buffer_Overread__CWE170_char_memcpy_18_good()58{59 good1();60}6162#endif /* OMITGOOD */6364/* Below is the main(). It is only used when building this testcase on65 its own for testing or for building a binary to use in testing binary66 analysis tools. It is not used when compiling all the testcases as one67 application, which is how source code analysis tools are tested. */6869#ifdef INCLUDEMAIN7071int main(int argc, char * argv[])72{73 /* seed randomness */74 srand( (unsigned)time(NULL) );75#ifndef OMITGOOD76 printLine("Calling good()...");77 CWE126_Buffer_Overread__CWE170_char_memcpy_18_good();78 printLine("Finished good()");79#endif /* OMITGOOD */80#ifndef OMITBAD81 printLine("Calling bad()...");82 CWE126_Buffer_Overread__CWE170_char_memcpy_18_bad();83 printLine("Finished bad()");84#endif /* OMITBAD */85 return 0;86}8788#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 18 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_05.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-05.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: loop12 * BadSink : Copy twoIntsStruct array to data using a loop13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819/* The two variables below are not defined as "const", but are never20 * assigned any other value, so a tool should be able to identify that21 * reads of these will always return their initialized values.22 */23static int staticTrue = 1; /* true */24static int staticFalse = 0; /* false */2526#ifndef OMITBAD2728void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_05_bad()29{✓ 30 twoIntsStruct * data;✓ 31 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));✓ 32 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));✓ 33 if(staticTrue)34 {35 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination36 * buffer in various memory copying functions using a "large" source buffer. */✓ 37 data = dataBadBuffer;38 }39 {✓ 40 twoIntsStruct source[100];41 {✓ 42 size_t i;43 /* Initialize array */✓ 44 for (i = 0; i < 100; i++)45 {✓ 46 source[i].intOne = 0;✓ 47 source[i].intTwo = 0;48 }49 }50 {✓ 51 size_t i;52 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 53 for (i = 0; i < 100; i++)54 {✓ 55 data[i] = source[i];❗VULN56 }✓ 57 printStructLine(&data[0]);58 }59 }60}6162#endif /* OMITBAD */6364#ifndef OMITGOOD6566/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */67static void goodG2B1()68{69 twoIntsStruct * data;70 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));71 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));72 if(staticFalse)73 {74 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */75 printLine("Benign, fixed string");76 }77 else78 {79 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */80 data = dataGoodBuffer;81 }82 {83 twoIntsStruct source[100];84 {85 size_t i;86 /* Initialize array */87 for (i = 0; i < 100; i++)88 {89 source[i].intOne = 0;90 source[i].intTwo = 0;91 }92 }93 {94 size_t i;95 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */96 for (i = 0; i < 100; i++)97 {98 data[i] = source[i];99 }100 printStructLine(&data[0]);101 }102 }103}104105/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */106static void goodG2B2()107{108 twoIntsStruct * data;109 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));110 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));111 if(staticTrue)112 {113 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */114 data = dataGoodBuffer;115 }116 {117 twoIntsStruct source[100];118 {119 size_t i;120 /* Initialize array */121 for (i = 0; i < 100; i++)122 {123 source[i].intOne = 0;124 source[i].intTwo = 0;125 }126 }127 {128 size_t i;129 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */130 for (i = 0; i < 100; i++)131 {132 data[i] = source[i];133 }134 printStructLine(&data[0]);135 }136 }137}138139void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_05_good()140{141 goodG2B1();142 goodG2B2();143}144145#endif /* OMITGOOD */146147/* Below is the main(). It is only used when building this testcase on148 * its own for testing or for building a binary to use in testing binary149 * analysis tools. It is not used when compiling all the testcases as one150 * application, which is how source code analysis tools are tested.151 */152153#ifdef INCLUDEMAIN154155int main(int argc, char * argv[])156{157 /* seed randomness */158 srand( (unsigned)time(NULL) );159#ifndef OMITGOOD160 printLine("Calling good()...");161 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_05_good();162 printLine("Finished good()");163#endif /* OMITGOOD */164#ifndef OMITBAD165 printLine("Calling bad()...");166 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_05_bad();167 printLine("Finished bad()");168#endif /* OMITBAD */169 return 0;170}171172#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_dest_char_cat_01.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_dest.label.xml4Template File: sources-sink-01.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: cat12 * BadSink : Copy string to data using strcat13 * Flow Variant: 01 Baseline14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_dest_char_cat_0122{2324#ifndef OMITBAD2526void bad()27{✓ 28 char * data;✓ 29 data = NULL;30 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 31 data = new char[50];✓ 32 data[0] = '\0'; /* null terminate */33 {✓ 34 char source[100];✓ 35 memset(source, 'C', 100-1); /* fill with 'C's */✓ 36 source[100-1] = '\0'; /* null terminate */37 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */✓ 38 strcat(data, source);❗VULN✓ 39 printLine(data);✓ 40 delete [] data;41 }42}4344#endif /* OMITBAD */4546#ifndef OMITGOOD4748/* goodG2B uses the GoodSource with the BadSink */49static void goodG2B()50{51 char * data;52 data = NULL;53 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */54 data = new char[100];55 data[0] = '\0'; /* null terminate */56 {57 char source[100];58 memset(source, 'C', 100-1); /* fill with 'C's */59 source[100-1] = '\0'; /* null terminate */60 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */61 strcat(data, source);62 printLine(data);63 delete [] data;64 }65}6667void good()68{69 goodG2B();70}7172#endif /* OMITGOOD */7374} /* close namespace */7576/* Below is the main(). It is only used when building this testcase on77 its own for testing or for building a binary to use in testing binary78 analysis tools. It is not used when compiling all the testcases as one79 application, which is how source code analysis tools are tested. */8081#ifdef INCLUDEMAIN8283using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_dest_char_cat_01; /* so that we can use good and bad easily */8485int main(int argc, char * argv[])86{87 /* seed randomness */88 srand( (unsigned)time(NULL) );89#ifndef OMITGOOD90 printLine("Calling good()...");91 good();92 printLine("Finished good()");93#endif /* OMITGOOD */94#ifndef OMITBAD95 printLine("Calling bad()...");96 bad();97 printLine("Finished bad()");98#endif /* OMITBAD */99 return 0;100}101102#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_wchar_t_memcpy_13.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-13.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__malloc_wchar_t_memcpy_13_bad()24{✓ 25 wchar_t * data;✓ 26 data = NULL;✓ 27 if(GLOBAL_CONST_FIVE==5)28 {29 {✓ 30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 31 if (dataBuffer == NULL) {exit(-1);}✓ 32 wmemset(dataBuffer, L'A', 100-1);✓ 33 dataBuffer[100-1] = L'\0';34 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 35 data = dataBuffer - 8;36 }37 }38 {✓ 39 wchar_t dest[100];✓ 40 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 41 dest[100-1] = L'\0'; /* null terminate */42 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 43 memcpy(dest, data, 100*sizeof(wchar_t));❗VULN44 /* Ensure null termination */✓ 45 dest[100-1] = L'\0';✓ 46 printWLine(dest);47 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location48 * returned by malloc() so can't safely call free() on it */49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */57static void goodG2B1()58{59 wchar_t * data;60 data = NULL;61 if(GLOBAL_CONST_FIVE!=5)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 {69 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));70 if (dataBuffer == NULL) {exit(-1);}71 wmemset(dataBuffer, L'A', 100-1);72 dataBuffer[100-1] = L'\0';73 /* FIX: Set data pointer to the allocated memory buffer */74 data = dataBuffer;75 }76 }77 {78 wchar_t dest[100];79 wmemset(dest, L'C', 100-1); /* fill with 'C's */80 dest[100-1] = L'\0'; /* null terminate */81 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */82 memcpy(dest, data, 100*sizeof(wchar_t));83 /* Ensure null termination */84 dest[100-1] = L'\0';85 printWLine(dest);86 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location87 * returned by malloc() so can't safely call free() on it */88 }89}9091/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */92static void goodG2B2()93{94 wchar_t * data;95 data = NULL;96 if(GLOBAL_CONST_FIVE==5)97 {98 {99 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));100 if (dataBuffer == NULL) {exit(-1);}101 wmemset(dataBuffer, L'A', 100-1);102 dataBuffer[100-1] = L'\0';103 /* FIX: Set data pointer to the allocated memory buffer */104 data = dataBuffer;105 }106 }107 {108 wchar_t dest[100];109 wmemset(dest, L'C', 100-1); /* fill with 'C's */110 dest[100-1] = L'\0'; /* null terminate */111 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */112 memcpy(dest, data, 100*sizeof(wchar_t));113 /* Ensure null termination */114 dest[100-1] = L'\0';115 printWLine(dest);116 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location117 * returned by malloc() so can't safely call free() on it */118 }119}120121void CWE127_Buffer_Underread__malloc_wchar_t_memcpy_13_good()122{123 goodG2B1();124 goodG2B2();125}126127#endif /* OMITGOOD */128129/* Below is the main(). It is only used when building this testcase on130 * its own for testing or for building a binary to use in testing binary131 * analysis tools. It is not used when compiling all the testcases as one132 * application, which is how source code analysis tools are tested.133 */134135#ifdef INCLUDEMAIN136137int main(int argc, char * argv[])138{139 /* seed randomness */140 srand( (unsigned)time(NULL) );141#ifndef OMITGOOD142 printLine("Calling good()...");143 CWE127_Buffer_Underread__malloc_wchar_t_memcpy_13_good();144 printLine("Finished good()");145#endif /* OMITGOOD */146#ifndef OMITBAD147 printLine("Calling bad()...");148 CWE127_Buffer_Underread__malloc_wchar_t_memcpy_13_bad();149 printLine("Finished bad()");150#endif /* OMITBAD */151 return 0;152}153154#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22a.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml4Template File: sources-sink-22a.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: snprintf12 * BadSink : Copy data to string using snprintf13 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snprintf23#else24#define SNPRINTF snprintf25#endif2627#ifndef OMITBAD2829/* The global variable below is used to drive control flow in the source function */30int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_badGlobal = 0;3132char * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_badSource(char * data);3334void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_bad()35{✓ 36 char * data;✓ 37 data = (char *)malloc(100*sizeof(char));✓ 38 if (data == NULL) {exit(-1);}✓ 39 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_badGlobal = 1; /* true */✓ 40 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_badSource(data);41 {✓ 42 char dest[50] = "";43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 44 SNPRINTF(dest, strlen(data), "%s", data);❗VULN✓ 45 printLine(data);✓ 46 free(data);47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* The global variables below are used to drive control flow in the source functions. */55int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B1Global = 0;56int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B2Global = 0;5758/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */59char * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B1Source(char * data);6061static void goodG2B1()62{63 char * data;64 data = (char *)malloc(100*sizeof(char));65 if (data == NULL) {exit(-1);}66 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B1Global = 0; /* false */67 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B1Source(data);68 {69 char dest[50] = "";70 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */71 SNPRINTF(dest, strlen(data), "%s", data);72 printLine(data);73 free(data);74 }75}7677/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */78char * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B2Source(char * data);7980static void goodG2B2()81{82 char * data;83 data = (char *)malloc(100*sizeof(char));84 if (data == NULL) {exit(-1);}85 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B2Global = 1; /* true */86 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B2Source(data);87 {88 char dest[50] = "";89 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */90 SNPRINTF(dest, strlen(data), "%s", data);91 printLine(data);92 free(data);93 }94}9596void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_good()97{98 goodG2B1();99 goodG2B2();100}101102#endif /* OMITGOOD */103104/* Below is the main(). It is only used when building this testcase on105 * its own for testing or for building a binary to use in testing binary106 * analysis tools. It is not used when compiling all the testcases as one107 * application, which is how source code analysis tools are tested.108 */109110#ifdef INCLUDEMAIN111112int main(int argc, char * argv[])113{114 /* seed randomness */115 srand( (unsigned)time(NULL) );116#ifndef OMITGOOD117 printLine("Calling good()...");118 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_good();119 printLine("Finished good()");120#endif /* OMITGOOD */121#ifndef OMITBAD122 printLine("Calling bad()...");123 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_bad();124 printLine("Finished bad()");125#endif /* OMITBAD */126 return 0;127}128129#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 18 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_snprintf_15.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml4Template File: sources-sink-15.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: swprintf12 * BadSink : Copy string to data using swprintf13 * Flow Variant: 15 Control flow: switch(6)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snwprintf23#else24#define SNPRINTF swprintf25#endif2627#ifndef OMITBAD2829void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_snprintf_15_bad()30{✓ 31 wchar_t * data;✓ 32 data = NULL;✓ 33 switch(6)34 {✓ 35 case 6:36 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 37 data = (wchar_t *)malloc(50*sizeof(wchar_t));✓ 38 if (data == NULL) {exit(-1);}✓ 39 data[0] = L'\0'; /* null terminate */✓ 40 break;✓ 41 default:42 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 43 printLine("Benign, fixed string");✓ 44 break;45 }46 {✓ 47 wchar_t source[100];✓ 48 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 49 source[100-1] = L'\0'; /* null terminate */50 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 51 SNPRINTF(data, 100, L"%s", source);❗VULN✓ 52 printWLine(data);✓ 53 free(data);54 }55}5657#endif /* OMITBAD */5859#ifndef OMITGOOD6061/* goodG2B1() - use goodsource and badsink by changing the switch to switch(5) */62static void goodG2B1()63{64 wchar_t * data;65 data = NULL;66 switch(5)67 {68 case 6:69 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */70 printLine("Benign, fixed string");71 break;72 default:73 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */74 data = (wchar_t *)malloc(100*sizeof(wchar_t));75 if (data == NULL) {exit(-1);}76 data[0] = L'\0'; /* null terminate */77 break;78 }79 {80 wchar_t source[100];81 wmemset(source, L'C', 100-1); /* fill with L'C's */82 source[100-1] = L'\0'; /* null terminate */83 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */84 SNPRINTF(data, 100, L"%s", source);85 printWLine(data);86 free(data);87 }88}8990/* goodG2B2() - use goodsource and badsink by reversing the blocks in the switch */91static void goodG2B2()92{93 wchar_t * data;94 data = NULL;95 switch(6)96 {97 case 6:98 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */99 data = (wchar_t *)malloc(100*sizeof(wchar_t));100 if (data == NULL) {exit(-1);}101 data[0] = L'\0'; /* null terminate */102 break;103 default:104 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */105 printLine("Benign, fixed string");106 break;107 }108 {109 wchar_t source[100];110 wmemset(source, L'C', 100-1); /* fill with L'C's */111 source[100-1] = L'\0'; /* null terminate */112 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */113 SNPRINTF(data, 100, L"%s", source);114 printWLine(data);115 free(data);116 }117}118119void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_snprintf_15_good()120{121 goodG2B1();122 goodG2B2();123}124125#endif /* OMITGOOD */126127/* Below is the main(). It is only used when building this testcase on128 * its own for testing or for building a binary to use in testing binary129 * analysis tools. It is not used when compiling all the testcases as one130 * application, which is how source code analysis tools are tested.131 */132133#ifdef INCLUDEMAIN134135int main(int argc, char * argv[])136{137 /* seed randomness */138 srand( (unsigned)time(NULL) );139#ifndef OMITGOOD140 printLine("Calling good()...");141 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_snprintf_15_good();142 printLine("Finished good()");143#endif /* OMITGOOD */144#ifndef OMITBAD145 printLine("Calling bad()...");146 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_snprintf_15_bad();147 printLine("Finished bad()");148#endif /* OMITBAD */149 return 0;150}151152#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 47 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__CWE839_listen_socket_01.c3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml4Template File: sources-sinks-01.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: listen_socket Read data using a listen socket (server side)10 * GoodSource: Non-negative but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the lower bound14 * Flow Variant: 01 Baseline15 *16 * */1718#include "std_testcase.h"1920#ifdef _WIN3221#include <winsock2.h>22#include <windows.h>23#include <direct.h>24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */25#define CLOSE_SOCKET closesocket26#else27#include <sys/types.h>28#include <sys/socket.h>29#include <netinet/in.h>30#include <arpa/inet.h>31#include <unistd.h>32#define INVALID_SOCKET -133#define SOCKET_ERROR -134#define CLOSE_SOCKET close35#define SOCKET int36#endif3738#define TCP_PORT 2701539#define LISTEN_BACKLOG 540#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)4142#ifndef OMITBAD4344void CWE124_Buffer_Underwrite__CWE839_listen_socket_01_bad()45{✓ 46 int data;47 /* Initialize data */✓ 48 data = -1;49 {50#ifdef _WIN32✓ 51 WSADATA wsaData;✓ 52 int wsaDataInit = 0;53#endif✓ 54 int recvResult;✓ 55 struct sockaddr_in service;✓ 56 SOCKET listenSocket = INVALID_SOCKET;✓ 57 SOCKET acceptSocket = INVALID_SOCKET;✓ 58 char inputBuffer[CHAR_ARRAY_SIZE];59 do60 {61#ifdef _WIN32✓ 62 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)63 {✓ 64 break;65 }✓ 66 wsaDataInit = 1;67#endif68 /* POTENTIAL FLAW: Read data using a listen socket */✓ 69 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);✓ 70 if (listenSocket == INVALID_SOCKET)71 {✓ 72 break;73 }✓ 74 memset(&service, 0, sizeof(service));✓ 75 service.sin_family = AF_INET;✓ 76 service.sin_addr.s_addr = INADDR_ANY;✓ 77 service.sin_port = htons(TCP_PORT);✓ 78 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)79 {✓ 80 break;81 }✓ 82 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)83 {✓ 84 break;85 }✓ 86 acceptSocket = accept(listenSocket, NULL, NULL);✓ 87 if (acceptSocket == SOCKET_ERROR)88 {✓ 89 break;90 }91 /* Abort on error or the connection was closed */✓ 92 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);✓ 93 if (recvResult == SOCKET_ERROR || recvResult == 0)94 {✓ 95 break;96 }97 /* NUL-terminate the string */✓ 98 inputBuffer[recvResult] = '\0';99 /* Convert to int */✓100 data = atoi(inputBuffer);101 }✓102 while (0);✓103 if (listenSocket != INVALID_SOCKET)104 {✓105 CLOSE_SOCKET(listenSocket);106 }✓107 if (acceptSocket != INVALID_SOCKET)108 {✓109 CLOSE_SOCKET(acceptSocket);110 }111#ifdef _WIN32✓112 if (wsaDataInit)113 {✓114 WSACleanup();115 }116#endif117 }118 {✓119 int i;✓120 int buffer[10] = { 0 };121 /* POTENTIAL FLAW: Attempt to access a negative index of the array122 * This code does not check to see if the array index is negative */✓123 if (data < 10)124 {✓125 buffer[data] = 1;❗VULN126 /* Print the array values */✓127 for(i = 0; i < 10; i++)128 {✓129 printIntLine(buffer[i]);130 }131 }132 else133 {✓134 printLine("ERROR: Array index is negative.");135 }136 }137}138139#endif /* OMITBAD */140141#ifndef OMITGOOD142143/* goodG2B uses the GoodSource with the BadSink */144static void goodG2B()145{146 int data;147 /* Initialize data */148 data = -1;149 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to150 * access an index of the array in the sink that is out-of-bounds */151 data = 7;152 {153 int i;154 int buffer[10] = { 0 };155 /* POTENTIAL FLAW: Attempt to access a negative index of the array156 * This code does not check to see if the array index is negative */157 if (data < 10)158 {159 buffer[data] = 1;160 /* Print the array values */161 for(i = 0; i < 10; i++)162 {163 printIntLine(buffer[i]);164 }165 }166 else167 {168 printLine("ERROR: Array index is negative.");169 }170 }171}172173/* goodB2G uses the BadSource with the GoodSink */174static void goodB2G()175{176 int data;177 /* Initialize data */178 data = -1;179 {180#ifdef _WIN32181 WSADATA wsaData;182 int wsaDataInit = 0;183#endif184 int recvResult;185 struct sockaddr_in service;186 SOCKET listenSocket = INVALID_SOCKET;187 SOCKET acceptSocket = INVALID_SOCKET;188 char inputBuffer[CHAR_ARRAY_SIZE];189 do190 {191#ifdef _WIN32192 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)193 {194 break;195 }196 wsaDataInit = 1;197#endif198 /* POTENTIAL FLAW: Read data using a listen socket */199 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);200 if (listenSocket == INVALID_SOCKET)201 {202 break;203 }204 memset(&service, 0, sizeof(service));205 service.sin_family = AF_INET;206 service.sin_addr.s_addr = INADDR_ANY;207 service.sin_port = htons(TCP_PORT);208 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)209 {210 break;211 }212 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)213 {214 break;215 }216 acceptSocket = accept(listenSocket, NULL, NULL);217 if (acceptSocket == SOCKET_ERROR)218 {219 break;220 }221 /* Abort on error or the connection was closed */222 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);223 if (recvResult == SOCKET_ERROR || recvResult == 0)224 {225 break;226 }227 /* NUL-terminate the string */228 inputBuffer[recvResult] = '\0';229 /* Convert to int */230 data = atoi(inputBuffer);231 }232 while (0);233 if (listenSocket != INVALID_SOCKET)234 {235 CLOSE_SOCKET(listenSocket);236 }237 if (acceptSocket != INVALID_SOCKET)238 {239 CLOSE_SOCKET(acceptSocket);240 }241#ifdef _WIN32242 if (wsaDataInit)243 {244 WSACleanup();245 }246#endif247 }248 {249 int i;250 int buffer[10] = { 0 };251 /* FIX: Properly validate the array index and prevent a buffer underwrite */252 if (data >= 0 && data < (10))253 {254 buffer[data] = 1;255 /* Print the array values */256 for(i = 0; i < 10; i++)257 {258 printIntLine(buffer[i]);259 }260 }261 else262 {263 printLine("ERROR: Array index is out-of-bounds");264 }265 }266}267268void CWE124_Buffer_Underwrite__CWE839_listen_socket_01_good()269{270 goodG2B();271 goodB2G();272}273274#endif /* OMITGOOD */275276/* Below is the main(). It is only used when building this testcase on277 its own for testing or for building a binary to use in testing binary278 analysis tools. It is not used when compiling all the testcases as one279 application, which is how source code analysis tools are tested. */280281#ifdef INCLUDEMAIN282283int main(int argc, char * argv[])284{285 /* seed randomness */286 srand( (unsigned)time(NULL) );287#ifndef OMITGOOD288 printLine("Calling good()...");289 CWE124_Buffer_Underwrite__CWE839_listen_socket_01_good();290 printLine("Finished good()");291#endif /* OMITGOOD */292#ifndef OMITBAD293 printLine("Calling bad()...");294 CWE124_Buffer_Underwrite__CWE839_listen_socket_01_bad();295 printLine("Finished bad()");296#endif /* OMITBAD */297 return 0;298}299300#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_char_cpy_05.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-05.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: cpy12 * BadSink : Copy data to string using strcpy13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are not defined as "const", but are never22 * assigned any other value, so a tool should be able to identify that23 * reads of these will always return their initialized values.24 */25static int staticTrue = 1; /* true */26static int staticFalse = 0; /* false */2728#ifndef OMITBAD2930void CWE127_Buffer_Underread__malloc_char_cpy_05_bad()31{✓ 32 char * data;✓ 33 data = NULL;✓ 34 if(staticTrue)35 {36 {✓ 37 char * dataBuffer = (char *)malloc(100*sizeof(char));✓ 38 if (dataBuffer == NULL) {exit(-1);}✓ 39 memset(dataBuffer, 'A', 100-1);✓ 40 dataBuffer[100-1] = '\0';41 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 42 data = dataBuffer - 8;43 }44 }45 {✓ 46 char dest[100*2];✓ 47 memset(dest, 'C', 100*2-1); /* fill with 'C's */✓ 48 dest[100*2-1] = '\0'; /* null terminate */49 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 50 strcpy(dest, data);❗VULN✓ 51 printLine(dest);52 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location53 * returned by malloc() so can't safely call free() on it */54 }55}5657#endif /* OMITBAD */5859#ifndef OMITGOOD6061/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */62static void goodG2B1()63{64 char * data;65 data = NULL;66 if(staticFalse)67 {68 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */69 printLine("Benign, fixed string");70 }71 else72 {73 {74 char * dataBuffer = (char *)malloc(100*sizeof(char));75 if (dataBuffer == NULL) {exit(-1);}76 memset(dataBuffer, 'A', 100-1);77 dataBuffer[100-1] = '\0';78 /* FIX: Set data pointer to the allocated memory buffer */79 data = dataBuffer;80 }81 }82 {83 char dest[100*2];84 memset(dest, 'C', 100*2-1); /* fill with 'C's */85 dest[100*2-1] = '\0'; /* null terminate */86 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */87 strcpy(dest, data);88 printLine(dest);89 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location90 * returned by malloc() so can't safely call free() on it */91 }92}9394/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */95static void goodG2B2()96{97 char * data;98 data = NULL;99 if(staticTrue)100 {101 {102 char * dataBuffer = (char *)malloc(100*sizeof(char));103 if (dataBuffer == NULL) {exit(-1);}104 memset(dataBuffer, 'A', 100-1);105 dataBuffer[100-1] = '\0';106 /* FIX: Set data pointer to the allocated memory buffer */107 data = dataBuffer;108 }109 }110 {111 char dest[100*2];112 memset(dest, 'C', 100*2-1); /* fill with 'C's */113 dest[100*2-1] = '\0'; /* null terminate */114 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */115 strcpy(dest, data);116 printLine(dest);117 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location118 * returned by malloc() so can't safely call free() on it */119 }120}121122void CWE127_Buffer_Underread__malloc_char_cpy_05_good()123{124 goodG2B1();125 goodG2B2();126}127128#endif /* OMITGOOD */129130/* Below is the main(). It is only used when building this testcase on131 * its own for testing or for building a binary to use in testing binary132 * analysis tools. It is not used when compiling all the testcases as one133 * application, which is how source code analysis tools are tested.134 */135136#ifdef INCLUDEMAIN137138int main(int argc, char * argv[])139{140 /* seed randomness */141 srand( (unsigned)time(NULL) );142#ifndef OMITGOOD143 printLine("Calling good()...");144 CWE127_Buffer_Underread__malloc_char_cpy_05_good();145 printLine("Finished good()");146#endif /* OMITGOOD */147#ifndef OMITBAD148 printLine("Calling bad()...");149 CWE127_Buffer_Underread__malloc_char_cpy_05_bad();150 printLine("Finished bad()");151#endif /* OMITBAD */152 return 0;153}154155#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__wchar_t_declare_ncpy_02.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-02.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: ncpy12 * BadSink : Copy data to string using wcsncpy13 * Flow Variant: 02 Control flow: if(1) and if(0)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__wchar_t_declare_ncpy_02_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t dataBuffer[100];✓ 27 wmemset(dataBuffer, L'A', 100-1);✓ 28 dataBuffer[100-1] = L'\0';✓ 29 if(1)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;33 }34 {✓ 35 wchar_t dest[100];✓ 36 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 37 dest[100-1] = L'\0'; /* null terminate */38 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 39 wcsncpy(dest, data, wcslen(dest));❗VULN40 /* Ensure null termination */✓ 41 dest[100-1] = L'\0';✓ 42 printWLine(dest);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */51static void goodG2B1()52{53 wchar_t * data;54 wchar_t dataBuffer[100];55 wmemset(dataBuffer, L'A', 100-1);56 dataBuffer[100-1] = L'\0';57 if(0)58 {59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */60 printLine("Benign, fixed string");61 }62 else63 {64 /* FIX: Set data pointer to the allocated memory buffer */65 data = dataBuffer;66 }67 {68 wchar_t dest[100];69 wmemset(dest, L'C', 100-1); /* fill with 'C's */70 dest[100-1] = L'\0'; /* null terminate */71 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */72 wcsncpy(dest, data, wcslen(dest));73 /* Ensure null termination */74 dest[100-1] = L'\0';75 printWLine(dest);76 }77}7879/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */80static void goodG2B2()81{82 wchar_t * data;83 wchar_t dataBuffer[100];84 wmemset(dataBuffer, L'A', 100-1);85 dataBuffer[100-1] = L'\0';86 if(1)87 {88 /* FIX: Set data pointer to the allocated memory buffer */89 data = dataBuffer;90 }91 {92 wchar_t dest[100];93 wmemset(dest, L'C', 100-1); /* fill with 'C's */94 dest[100-1] = L'\0'; /* null terminate */95 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */96 wcsncpy(dest, data, wcslen(dest));97 /* Ensure null termination */98 dest[100-1] = L'\0';99 printWLine(dest);100 }101}102103void CWE127_Buffer_Underread__wchar_t_declare_ncpy_02_good()104{105 goodG2B1();106 goodG2B2();107}108109#endif /* OMITGOOD */110111/* Below is the main(). It is only used when building this testcase on112 * its own for testing or for building a binary to use in testing binary113 * analysis tools. It is not used when compiling all the testcases as one114 * application, which is how source code analysis tools are tested.115 */116117#ifdef INCLUDEMAIN118119int main(int argc, char * argv[])120{121 /* seed randomness */122 srand( (unsigned)time(NULL) );123#ifndef OMITGOOD124 printLine("Calling good()...");125 CWE127_Buffer_Underread__wchar_t_declare_ncpy_02_good();126 printLine("Finished good()");127#endif /* OMITGOOD */128#ifndef OMITBAD129 printLine("Calling bad()...");130 CWE127_Buffer_Underread__wchar_t_declare_ncpy_02_bad();131 printLine("Finished bad()");132#endif /* OMITBAD */133 return 0;134}135136#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int_memmove_32.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.label.xml4Template File: sources-sink-32.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: memmove12 * BadSink : Copy int array to data using memmove13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function14 *15 * */1617#include "std_testcase.h"1819namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int_memmove_3220{2122#ifndef OMITBAD2324void bad()25{✓ 26 int * data;✓ 27 int * *dataPtr1 = &data;✓ 28 int * *dataPtr2 = &data;✓ 29 data = NULL;30 {✓ 31 int * data = *dataPtr1;32 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 33 data = new int[50];✓ 34 *dataPtr1 = data;35 }36 {✓ 37 int * data = *dataPtr2;38 {✓ 39 int source[100] = {0}; /* fill with 0's */40 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 41 memmove(data, source, 100*sizeof(int));❗VULN✓ 42 printIntLine(data[0]);✓ 43 delete [] data;44 }45 }46}4748#endif /* OMITBAD */4950#ifndef OMITGOOD5152/* goodG2B() uses the GoodSource with the BadSink */53static void goodG2B()54{55 int * data;56 int * *dataPtr1 = &data;57 int * *dataPtr2 = &data;58 data = NULL;59 {60 int * data = *dataPtr1;61 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */62 data = new int[100];63 *dataPtr1 = data;64 }65 {66 int * data = *dataPtr2;67 {68 int source[100] = {0}; /* fill with 0's */69 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */70 memmove(data, source, 100*sizeof(int));71 printIntLine(data[0]);72 delete [] data;73 }74 }75}7677void good()78{79 goodG2B();80}8182#endif /* OMITGOOD */8384} /* close namespace */8586/* Below is the main(). It is only used when building this testcase on87 its own for testing or for building a binary to use in testing binary88 analysis tools. It is not used when compiling all the testcases as one89 application, which is how source code analysis tools are tested. */90#ifdef INCLUDEMAIN9192using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int_memmove_32; /* so that we can use good and bad easily */9394int main(int argc, char * argv[])95{96 /* seed randomness */97 srand( (unsigned)time(NULL) );98#ifndef OMITGOOD99 printLine("Calling good()...");100 good();101 printLine("Finished good()");102#endif /* OMITGOOD */103#ifndef OMITBAD104 printLine("Calling bad()...");105 bad();106 printLine("Finished bad()");107#endif /* OMITBAD */108 return 0;109}110111#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_16.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml4Template File: sources-sink-16.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sink: ncpy12 * BadSink : Copy string to data using strncpy()13 * Flow Variant: 16 Control flow: while(1)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_1627{2829#ifndef OMITBAD3031void bad()32{✓ 33 char * data;✓ 34 data = NULL;✓ 35 while(1)36 {37 /* FLAW: Did not leave space for a null terminator */✓ 38 data = new char[10];✓ 39 break;40 }41 {✓ 42 char source[10+1] = SRC_STRING;43 /* Copy length + 1 to include NUL terminator from source */44 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 45 strncpy(data, source, strlen(source) + 1);❗VULN✓ 46 printLine(data);✓ 47 delete [] data;48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */56static void goodG2B()57{58 char * data;59 data = NULL;60 while(1)61 {62 /* FIX: Allocate space for a null terminator */63 data = new char[10+1];64 break;65 }66 {67 char source[10+1] = SRC_STRING;68 /* Copy length + 1 to include NUL terminator from source */69 /* POTENTIAL FLAW: data may not have enough space to hold source */70 strncpy(data, source, strlen(source) + 1);71 printLine(data);72 delete [] data;73 }74}7576void good()77{78 goodG2B();79}8081#endif /* OMITGOOD */8283} /* close namespace */8485/* Below is the main(). It is only used when building this testcase on86 its own for testing or for building a binary to use in testing binary87 analysis tools. It is not used when compiling all the testcases as one88 application, which is how source code analysis tools are tested. */8990#ifdef INCLUDEMAIN9192using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_16; /* so that we can use good and bad easily */9394int main(int argc, char * argv[])95{96 /* seed randomness */97 srand( (unsigned)time(NULL) );98#ifndef OMITGOOD99 printLine("Calling good()...");100 good();101 printLine("Finished good()");102#endif /* OMITGOOD */103#ifndef OMITBAD104 printLine("Calling bad()...");105 bad();106 printLine("Finished bad()");107#endif /* OMITBAD */108 return 0;109}110111#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 19 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_char_loop_14.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-14.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__malloc_char_loop_14_bad()24{✓ 25 char * data;✓ 26 data = NULL;✓ 27 if(globalFive==5)28 {29 {✓ 30 char * dataBuffer = (char *)malloc(100*sizeof(char));✓ 31 if (dataBuffer == NULL) {exit(-1);}✓ 32 memset(dataBuffer, 'A', 100-1);✓ 33 dataBuffer[100-1] = '\0';34 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 35 data = dataBuffer - 8;36 }37 }38 {✓ 39 size_t i;✓ 40 char dest[100];✓ 41 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 42 dest[100-1] = '\0'; /* null terminate */43 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 44 for (i = 0; i < 100; i++)45 {✓ 46 dest[i] = data[i];❗VULN47 }48 /* Ensure null termination */✓ 49 dest[100-1] = '\0';✓ 50 printLine(dest);51 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location52 * returned by malloc() so can't safely call free() on it */53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */61static void goodG2B1()62{63 char * data;64 data = NULL;65 if(globalFive!=5)66 {67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */68 printLine("Benign, fixed string");69 }70 else71 {72 {73 char * dataBuffer = (char *)malloc(100*sizeof(char));74 if (dataBuffer == NULL) {exit(-1);}75 memset(dataBuffer, 'A', 100-1);76 dataBuffer[100-1] = '\0';77 /* FIX: Set data pointer to the allocated memory buffer */78 data = dataBuffer;79 }80 }81 {82 size_t i;83 char dest[100];84 memset(dest, 'C', 100-1); /* fill with 'C's */85 dest[100-1] = '\0'; /* null terminate */86 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */87 for (i = 0; i < 100; i++)88 {89 dest[i] = data[i];90 }91 /* Ensure null termination */92 dest[100-1] = '\0';93 printLine(dest);94 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location95 * returned by malloc() so can't safely call free() on it */96 }97}9899/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */100static void goodG2B2()101{102 char * data;103 data = NULL;104 if(globalFive==5)105 {106 {107 char * dataBuffer = (char *)malloc(100*sizeof(char));108 if (dataBuffer == NULL) {exit(-1);}109 memset(dataBuffer, 'A', 100-1);110 dataBuffer[100-1] = '\0';111 /* FIX: Set data pointer to the allocated memory buffer */112 data = dataBuffer;113 }114 }115 {116 size_t i;117 char dest[100];118 memset(dest, 'C', 100-1); /* fill with 'C's */119 dest[100-1] = '\0'; /* null terminate */120 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */121 for (i = 0; i < 100; i++)122 {123 dest[i] = data[i];124 }125 /* Ensure null termination */126 dest[100-1] = '\0';127 printLine(dest);128 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location129 * returned by malloc() so can't safely call free() on it */130 }131}132133void CWE127_Buffer_Underread__malloc_char_loop_14_good()134{135 goodG2B1();136 goodG2B2();137}138139#endif /* OMITGOOD */140141/* Below is the main(). It is only used when building this testcase on142 * its own for testing or for building a binary to use in testing binary143 * analysis tools. It is not used when compiling all the testcases as one144 * application, which is how source code analysis tools are tested.145 */146147#ifdef INCLUDEMAIN148149int main(int argc, char * argv[])150{151 /* seed randomness */152 srand( (unsigned)time(NULL) );153#ifndef OMITGOOD154 printLine("Calling good()...");155 CWE127_Buffer_Underread__malloc_char_loop_14_good();156 printLine("Finished good()");157#endif /* OMITGOOD */158#ifndef OMITBAD159 printLine("Calling bad()...");160 CWE127_Buffer_Underread__malloc_char_loop_14_bad();161 printLine("Finished bad()");162#endif /* OMITBAD */163 return 0;164}165166#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_17.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml4Template File: sources-sink-17.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: ncpy12 * BadSink : Copy data to string using wcsncpy13 * Flow Variant: 17 Control flow: for loops14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_1722{2324#ifndef OMITBAD2526void bad()27{✓ 28 int i;✓ 29 wchar_t * data;✓ 30 data = new wchar_t[100];✓ 31 for(i = 0; i < 1; i++)32 {33 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 34 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 35 data[100-1] = L'\0'; /* null terminate */36 }37 {✓ 38 wchar_t dest[50] = L"";39 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 40 wcsncpy(dest, data, wcslen(data));❗VULN✓ 41 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 42 printWLine(data);✓ 43 delete [] data;44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B() - use goodsource in the for statement */52static void goodG2B()53{54 int h;55 wchar_t * data;56 data = new wchar_t[100];57 for(h = 0; h < 1; h++)58 {59 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */60 wmemset(data, L'A', 50-1); /* fill with L'A's */61 data[50-1] = L'\0'; /* null terminate */62 }63 {64 wchar_t dest[50] = L"";65 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */66 wcsncpy(dest, data, wcslen(data));67 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */68 printWLine(data);69 delete [] data;70 }71}7273void good()74{75 goodG2B();76}7778#endif /* OMITGOOD */7980} /* close namespace */8182/* Below is the main(). It is only used when building this testcase on83 its own for testing or for building a binary to use in testing binary84 analysis tools. It is not used when compiling all the testcases as one85 application, which is how source code analysis tools are tested. */8687#ifdef INCLUDEMAIN8889using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_17; /* so that we can use good and bad easily */9091int main(int argc, char * argv[])92{93 /* seed randomness */94 srand( (unsigned)time(NULL) );95#ifndef OMITGOOD96 printLine("Calling good()...");97 good();98 printLine("Finished good()");99#endif /* OMITGOOD */100#ifndef OMITBAD101 printLine("Calling bad()...");102 bad();103 printLine("Finished bad()");104#endif /* OMITBAD */105 return 0;106}107108#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 22 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_fgets_17.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml4Template File: sources-sinks-17.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: fgets Read data from the console using fgets()10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 17 Control flow: for loops15 *16 * */1718#include "std_testcase.h"1920#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)2122#ifndef OMITBAD2324void CWE121_Stack_Based_Buffer_Overflow__CWE129_fgets_17_bad()25{✓ 26 int i,j;✓ 27 int data;28 /* Initialize data */✓ 29 data = -1;✓ 30 for(i = 0; i < 1; i++)31 {32 {✓ 33 char inputBuffer[CHAR_ARRAY_SIZE] = "";34 /* POTENTIAL FLAW: Read data from the console using fgets() */✓ 35 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)36 {37 /* Convert to int */✓ 38 data = atoi(inputBuffer);39 }40 else41 {✓ 42 printLine("fgets() failed.");43 }44 }45 }✓ 46 for(j = 0; j < 1; j++)47 {48 {✓ 49 int i;✓ 50 int buffer[10] = { 0 };51 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound52 * This code does check to see if the array index is negative */✓ 53 if (data >= 0)54 {✓ 55 buffer[data] = 1;❗VULN56 /* Print the array values */✓ 57 for(i = 0; i < 10; i++)58 {✓ 59 printIntLine(buffer[i]);60 }61 }62 else63 {✓ 64 printLine("ERROR: Array index is negative.");65 }66 }67 }68}6970#endif /* OMITBAD */7172#ifndef OMITGOOD7374/* goodB2G() - use badsource and goodsink in the for statements */75static void goodB2G()76{77 int i,k;78 int data;79 /* Initialize data */80 data = -1;81 for(i = 0; i < 1; i++)82 {83 {84 char inputBuffer[CHAR_ARRAY_SIZE] = "";85 /* POTENTIAL FLAW: Read data from the console using fgets() */86 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)87 {88 /* Convert to int */89 data = atoi(inputBuffer);90 }91 else92 {93 printLine("fgets() failed.");94 }95 }96 }97 for(k = 0; k < 1; k++)98 {99 {100 int i;101 int buffer[10] = { 0 };102 /* FIX: Properly validate the array index and prevent a buffer overflow */103 if (data >= 0 && data < (10))104 {105 buffer[data] = 1;106 /* Print the array values */107 for(i = 0; i < 10; i++)108 {109 printIntLine(buffer[i]);110 }111 }112 else113 {114 printLine("ERROR: Array index is out-of-bounds");115 }116 }117 }118}119120/* goodG2B() - use goodsource and badsink in the for statements */121static void goodG2B()122{123 int h,j;124 int data;125 /* Initialize data */126 data = -1;127 for(h = 0; h < 1; h++)128 {129 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to130 * access an index of the array in the sink that is out-of-bounds */131 data = 7;132 }133 for(j = 0; j < 1; j++)134 {135 {136 int i;137 int buffer[10] = { 0 };138 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound139 * This code does check to see if the array index is negative */140 if (data >= 0)141 {142 buffer[data] = 1;143 /* Print the array values */144 for(i = 0; i < 10; i++)145 {146 printIntLine(buffer[i]);147 }148 }149 else150 {151 printLine("ERROR: Array index is negative.");152 }153 }154 }155}156157void CWE121_Stack_Based_Buffer_Overflow__CWE129_fgets_17_good()158{159 goodB2G();160 goodG2B();161}162163#endif /* OMITGOOD */164165/* Below is the main(). It is only used when building this testcase on166 its own for testing or for building a binary to use in testing binary167 analysis tools. It is not used when compiling all the testcases as one168 application, which is how source code analysis tools are tested. */169170#ifdef INCLUDEMAIN171172int main(int argc, char * argv[])173{174 /* seed randomness */175 srand( (unsigned)time(NULL) );176#ifndef OMITGOOD177 printLine("Calling good()...");178 CWE121_Stack_Based_Buffer_Overflow__CWE129_fgets_17_good();179 printLine("Finished good()");180#endif /* OMITGOOD */181#ifndef OMITBAD182 printLine("Calling bad()...");183 CWE121_Stack_Based_Buffer_Overflow__CWE129_fgets_17_bad();184 printLine("Finished bad()");185#endif /* OMITBAD */186 return 0;187}188189#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_01.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-01.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: ncat12 * BadSink : Copy string to data using wcsncat13 * Flow Variant: 01 Baseline14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_0122{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 data = NULL;30 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 31 data = new wchar_t[50];✓ 32 data[0] = L'\0'; /* null terminate */33 {✓ 34 wchar_t source[100];✓ 35 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 36 source[100-1] = L'\0'; /* null terminate */37 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */✓ 38 wcsncat(data, source, 100);❗VULN✓ 39 printWLine(data);✓ 40 delete [] data;41 }42}4344#endif /* OMITBAD */4546#ifndef OMITGOOD4748/* goodG2B uses the GoodSource with the BadSink */49static void goodG2B()50{51 wchar_t * data;52 data = NULL;53 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */54 data = new wchar_t[100];55 data[0] = L'\0'; /* null terminate */56 {57 wchar_t source[100];58 wmemset(source, L'C', 100-1); /* fill with L'C's */59 source[100-1] = L'\0'; /* null terminate */60 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */61 wcsncat(data, source, 100);62 printWLine(data);63 delete [] data;64 }65}6667void good()68{69 goodG2B();70}7172#endif /* OMITGOOD */7374} /* close namespace */7576/* Below is the main(). It is only used when building this testcase on77 its own for testing or for building a binary to use in testing binary78 analysis tools. It is not used when compiling all the testcases as one79 application, which is how source code analysis tools are tested. */8081#ifdef INCLUDEMAIN8283using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_01; /* so that we can use good and bad easily */8485int main(int argc, char * argv[])86{87 /* seed randomness */88 srand( (unsigned)time(NULL) );89#ifndef OMITGOOD90 printLine("Calling good()...");91 good();92 printLine("Finished good()");93#endif /* OMITGOOD */94#ifndef OMITBAD95 printLine("Calling bad()...");96 bad();97 printLine("Finished bad()");98#endif /* OMITBAD */99 return 0;100}101102#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 8 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncat_42.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-42.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: ncat12 * BadSink : Copy data to string using strncat13 * Flow Variant: 42 Data flow: data returned from one function to another in the same source file14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223static char * badSource(char * data)24{25 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */26 memset(data, 'A', 100-1); /* fill with 'A's */27 data[100-1] = '\0'; /* null terminate */28 return data;29}3031void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncat_42_bad()32{✓ 33 char * data;✓ 34 char dataBuffer[100];✓ 35 data = dataBuffer;✓ 36 data = badSource(data);37 {✓ 38 char dest[50] = "";39 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/✓ 40 strncat(dest, data, strlen(data));❗VULN✓ 41 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 42 printLine(data);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950static char * goodG2BSource(char * data)51{52 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */53 memset(data, 'A', 50-1); /* fill with 'A's */54 data[50-1] = '\0'; /* null terminate */55 return data;56}5758/* goodG2B uses the GoodSource with the BadSink */59static void goodG2B()60{61 char * data;62 char dataBuffer[100];63 data = dataBuffer;64 data = goodG2BSource(data);65 {66 char dest[50] = "";67 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/68 strncat(dest, data, strlen(data));69 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */70 printLine(data);71 }72}7374void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncat_42_good()75{76 goodG2B();77}7879#endif /* OMITGOOD */8081/* Below is the main(). It is only used when building this testcase on82 * its own for testing or for building a binary to use in testing binary83 * analysis tools. It is not used when compiling all the testcases as one84 * application, which is how source code analysis tools are tested.85 */8687#ifdef INCLUDEMAIN8889int main(int argc, char * argv[])90{91 /* seed randomness */92 srand( (unsigned)time(NULL) );93#ifndef OMITGOOD94 printLine("Calling good()...");95 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncat_42_good();96 printLine("Finished good()");97#endif /* OMITGOOD */98#ifndef OMITBAD99 printLine("Calling bad()...");100 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncat_42_bad();101 printLine("Finished bad()");102#endif /* OMITBAD */103 return 0;104}105106#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_src.label.xml4Template File: sources-sink-34.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sinks: cpy12 * BadSink : Copy data to string using strcpy13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021typedef union22{23 char * unionFirst;24 char * unionSecond;25} CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_unionType;2627#ifndef OMITBAD2829void CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_bad()30{✓ 31 char * data;✓ 32 CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_unionType myUnion;✓ 33 data = (char *)malloc(100*sizeof(char));✓ 34 if (data == NULL) {exit(-1);}35 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 36 memset(data, 'A', 100-1); /* fill with 'A's */✓ 37 data[100-1] = '\0'; /* null terminate */✓ 38 myUnion.unionFirst = data;39 {✓ 40 char * data = myUnion.unionSecond;41 {✓ 42 char dest[50] = "";43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 44 strcpy(dest, data);❗VULN✓ 45 printLine(data);✓ 46 free(data);47 }48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B() uses the GoodSource with the BadSink */56static void goodG2B()57{58 char * data;59 CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_unionType myUnion;60 data = (char *)malloc(100*sizeof(char));61 if (data == NULL) {exit(-1);}62 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */63 memset(data, 'A', 50-1); /* fill with 'A's */64 data[50-1] = '\0'; /* null terminate */65 myUnion.unionFirst = data;66 {67 char * data = myUnion.unionSecond;68 {69 char dest[50] = "";70 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */71 strcpy(dest, data);72 printLine(data);73 free(data);74 }75 }76}7778void CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_good()79{80 goodG2B();81}8283#endif /* OMITGOOD */8485/* Below is the main(). It is only used when building this testcase on86 * its own for testing or for building a binary to use in testing binary87 * analysis tools. It is not used when compiling all the testcases as one88 * application, which is how source code analysis tools are tested.89 */90#ifdef INCLUDEMAIN9192int main(int argc, char * argv[])93{94 /* seed randomness */95 srand( (unsigned)time(NULL) );96#ifndef OMITGOOD97 printLine("Calling good()...");98 CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_good();99 printLine("Finished good()");100#endif /* OMITGOOD */101#ifndef OMITBAD102 printLine("Calling bad()...");103 CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_bad();104 printLine("Finished bad()");105#endif /* OMITBAD */106 return 0;107}108109#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__malloc_wchar_t_cpy_02.c3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml4Template File: sources-sink-02.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: cpy12 * BadSink : Copy string to data using wcscpy13 * Flow Variant: 02 Control flow: if(1) and if(0)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__malloc_wchar_t_cpy_02_bad()24{✓ 25 wchar_t * data;✓ 26 data = NULL;✓ 27 if(1)28 {29 {✓ 30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 31 if (dataBuffer == NULL) {exit(-1);}✓ 32 wmemset(dataBuffer, L'A', 100-1);✓ 33 dataBuffer[100-1] = L'\0';34 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 35 data = dataBuffer - 8;36 }37 }38 {✓ 39 wchar_t source[100];✓ 40 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 41 source[100-1] = L'\0'; /* null terminate */42 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 43 wcscpy(data, source);❗VULN✓ 44 printWLine(data);45 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location46 * returned by malloc() so can't safely call free() on it */47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */55static void goodG2B1()56{57 wchar_t * data;58 data = NULL;59 if(0)60 {61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */62 printLine("Benign, fixed string");63 }64 else65 {66 {67 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));68 if (dataBuffer == NULL) {exit(-1);}69 wmemset(dataBuffer, L'A', 100-1);70 dataBuffer[100-1] = L'\0';71 /* FIX: Set data pointer to the allocated memory buffer */72 data = dataBuffer;73 }74 }75 {76 wchar_t source[100];77 wmemset(source, L'C', 100-1); /* fill with 'C's */78 source[100-1] = L'\0'; /* null terminate */79 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */80 wcscpy(data, source);81 printWLine(data);82 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location83 * returned by malloc() so can't safely call free() on it */84 }85}8687/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */88static void goodG2B2()89{90 wchar_t * data;91 data = NULL;92 if(1)93 {94 {95 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));96 if (dataBuffer == NULL) {exit(-1);}97 wmemset(dataBuffer, L'A', 100-1);98 dataBuffer[100-1] = L'\0';99 /* FIX: Set data pointer to the allocated memory buffer */100 data = dataBuffer;101 }102 }103 {104 wchar_t source[100];105 wmemset(source, L'C', 100-1); /* fill with 'C's */106 source[100-1] = L'\0'; /* null terminate */107 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */108 wcscpy(data, source);109 printWLine(data);110 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location111 * returned by malloc() so can't safely call free() on it */112 }113}114115void CWE124_Buffer_Underwrite__malloc_wchar_t_cpy_02_good()116{117 goodG2B1();118 goodG2B2();119}120121#endif /* OMITGOOD */122123/* Below is the main(). It is only used when building this testcase on124 * its own for testing or for building a binary to use in testing binary125 * analysis tools. It is not used when compiling all the testcases as one126 * application, which is how source code analysis tools are tested.127 */128129#ifdef INCLUDEMAIN130131int main(int argc, char * argv[])132{133 /* seed randomness */134 srand( (unsigned)time(NULL) );135#ifndef OMITGOOD136 printLine("Calling good()...");137 CWE124_Buffer_Underwrite__malloc_wchar_t_cpy_02_good();138 printLine("Finished good()");139#endif /* OMITGOOD */140#ifndef OMITBAD141 printLine("Calling bad()...");142 CWE124_Buffer_Underwrite__malloc_wchar_t_cpy_02_bad();143 printLine("Finished bad()");144#endif /* OMITBAD */145 return 0;146}147148#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__malloc_wchar_t_loop_21.c3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml4Template File: sources-sink-21.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223/* The static variable below is used to drive control flow in the source function */24static int badStatic = 0;2526static wchar_t * badSource(wchar_t * data)27{28 if(badStatic)29 {30 {31 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));32 if (dataBuffer == NULL) {exit(-1);}33 wmemset(dataBuffer, L'A', 100-1);34 dataBuffer[100-1] = L'\0';35 /* FLAW: Set data pointer to before the allocated memory buffer */36 data = dataBuffer - 8;37 }38 }39 return data;40}4142void CWE124_Buffer_Underwrite__malloc_wchar_t_loop_21_bad()43{✓ 44 wchar_t * data;✓ 45 data = NULL;✓ 46 badStatic = 1; /* true */✓ 47 data = badSource(data);48 {✓ 49 size_t i;✓ 50 wchar_t source[100];✓ 51 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 52 source[100-1] = L'\0'; /* null terminate */53 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 54 for (i = 0; i < 100; i++)55 {✓ 56 data[i] = source[i];❗VULN57 }58 /* Ensure the destination buffer is null terminated */✓ 59 data[100-1] = L'\0';✓ 60 printWLine(data);61 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location62 * returned by malloc() so can't safely call free() on it */63 }64}6566#endif /* OMITBAD */6768#ifndef OMITGOOD6970/* The static variables below are used to drive control flow in the source functions. */71static int goodG2B1Static = 0;72static int goodG2B2Static = 0;7374/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */75static wchar_t * goodG2B1Source(wchar_t * data)76{77 if(goodG2B1Static)78 {79 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */80 printLine("Benign, fixed string");81 }82 else83 {84 {85 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));86 if (dataBuffer == NULL) {exit(-1);}87 wmemset(dataBuffer, L'A', 100-1);88 dataBuffer[100-1] = L'\0';89 /* FIX: Set data pointer to the allocated memory buffer */90 data = dataBuffer;91 }92 }93 return data;94}9596static void goodG2B1()97{98 wchar_t * data;99 data = NULL;100 goodG2B1Static = 0; /* false */101 data = goodG2B1Source(data);102 {103 size_t i;104 wchar_t source[100];105 wmemset(source, L'C', 100-1); /* fill with 'C's */106 source[100-1] = L'\0'; /* null terminate */107 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */108 for (i = 0; i < 100; i++)109 {110 data[i] = source[i];111 }112 /* Ensure the destination buffer is null terminated */113 data[100-1] = L'\0';114 printWLine(data);115 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location116 * returned by malloc() so can't safely call free() on it */117 }118}119120/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */121static wchar_t * goodG2B2Source(wchar_t * data)122{123 if(goodG2B2Static)124 {125 {126 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));127 if (dataBuffer == NULL) {exit(-1);}128 wmemset(dataBuffer, L'A', 100-1);129 dataBuffer[100-1] = L'\0';130 /* FIX: Set data pointer to the allocated memory buffer */131 data = dataBuffer;132 }133 }134 return data;135}136137static void goodG2B2()138{139 wchar_t * data;140 data = NULL;141 goodG2B2Static = 1; /* true */142 data = goodG2B2Source(data);143 {144 size_t i;145 wchar_t source[100];146 wmemset(source, L'C', 100-1); /* fill with 'C's */147 source[100-1] = L'\0'; /* null terminate */148 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */149 for (i = 0; i < 100; i++)150 {151 data[i] = source[i];152 }153 /* Ensure the destination buffer is null terminated */154 data[100-1] = L'\0';155 printWLine(data);156 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location157 * returned by malloc() so can't safely call free() on it */158 }159}160161void CWE124_Buffer_Underwrite__malloc_wchar_t_loop_21_good()162{163 goodG2B1();164 goodG2B2();165}166167#endif /* OMITGOOD */168169/* Below is the main(). It is only used when building this testcase on170 * its own for testing or for building a binary to use in testing binary171 * analysis tools. It is not used when compiling all the testcases as one172 * application, which is how source code analysis tools are tested.173 */174175#ifdef INCLUDEMAIN176177int main(int argc, char * argv[])178{179 /* seed randomness */180 srand( (unsigned)time(NULL) );181#ifndef OMITGOOD182 printLine("Calling good()...");183 CWE124_Buffer_Underwrite__malloc_wchar_t_loop_21_good();184 printLine("Finished good()");185#endif /* OMITGOOD */186#ifndef OMITBAD187 printLine("Calling bad()...");188 CWE124_Buffer_Underwrite__malloc_wchar_t_loop_21_bad();189 printLine("Finished bad()");190#endif /* OMITBAD */191 return 0;192}193194#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 7 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE131_memmove_14.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE131.label.xml4Template File: sources-sink-14.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Allocate memory without using sizeof(int)10 * GoodSource: Allocate memory using sizeof(int)11 * Sink: memmove12 * BadSink : Copy array to data using memmove()13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE121_Stack_Based_Buffer_Overflow__CWE131_memmove_14_bad()22{✓ 23 int * data;✓ 24 data = NULL;✓ 25 if(globalFive==5)26 {27 /* FLAW: Allocate memory without using sizeof(int) */✓ 28 data = (int *)ALLOCA(10);29 }30 {✓ 31 int source[10] = {0};32 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */✓ 33 memmove(data, source, 10*sizeof(int));❗VULN✓ 34 printIntLine(data[0]);35 }36}3738#endif /* OMITBAD */3940#ifndef OMITGOOD4142/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */43static void goodG2B1()44{45 int * data;46 data = NULL;47 if(globalFive!=5)48 {49 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */50 printLine("Benign, fixed string");51 }52 else53 {54 /* FIX: Allocate memory using sizeof(int) */55 data = (int *)ALLOCA(10*sizeof(int));56 }57 {58 int source[10] = {0};59 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */60 memmove(data, source, 10*sizeof(int));61 printIntLine(data[0]);62 }63}6465/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */66static void goodG2B2()67{68 int * data;69 data = NULL;70 if(globalFive==5)71 {72 /* FIX: Allocate memory using sizeof(int) */73 data = (int *)ALLOCA(10*sizeof(int));74 }75 {76 int source[10] = {0};77 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */78 memmove(data, source, 10*sizeof(int));79 printIntLine(data[0]);80 }81}8283void CWE121_Stack_Based_Buffer_Overflow__CWE131_memmove_14_good()84{85 goodG2B1();86 goodG2B2();87}8889#endif /* OMITGOOD */9091/* Below is the main(). It is only used when building this testcase on92 * its own for testing or for building a binary to use in testing binary93 * analysis tools. It is not used when compiling all the testcases as one94 * application, which is how source code analysis tools are tested.95 */9697#ifdef INCLUDEMAIN9899int main(int argc, char * argv[])100{101 /* seed randomness */102 srand( (unsigned)time(NULL) );103#ifndef OMITGOOD104 printLine("Calling good()...");105 CWE121_Stack_Based_Buffer_Overflow__CWE131_memmove_14_good();106 printLine("Finished good()");107#endif /* OMITGOOD */108#ifndef OMITBAD109 printLine("Calling bad()...");110 CWE121_Stack_Based_Buffer_Overflow__CWE131_memmove_14_bad();111 printLine("Finished bad()");112#endif /* OMITBAD */113 return 0;114}115116#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__new_wchar_t_memmove_18.cpp3Label Definition File: CWE127_Buffer_Underread__new.label.xml4Template File: sources-sink-18.tmpl.cpp5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE127_Buffer_Underread__new_wchar_t_memmove_1822{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 data = NULL;✓ 30 goto source;✓ 31source:32 {✓ 33 wchar_t * dataBuffer = new wchar_t[100];✓ 34 wmemset(dataBuffer, L'A', 100-1);✓ 35 dataBuffer[100-1] = L'\0';36 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 37 data = dataBuffer - 8;38 }39 {✓ 40 wchar_t dest[100];✓ 41 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 42 dest[100-1] = L'\0'; /* null terminate */43 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 44 memmove(dest, data, 100*sizeof(wchar_t));❗VULN45 /* Ensure null termination */✓ 46 dest[100-1] = L'\0';✓ 47 printWLine(dest);48 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location49 * returned by new [] so can't safely call delete [] on it */50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */58static void goodG2B()59{60 wchar_t * data;61 data = NULL;62 goto source;63source:64 {65 wchar_t * dataBuffer = new wchar_t[100];66 wmemset(dataBuffer, L'A', 100-1);67 dataBuffer[100-1] = L'\0';68 /* FIX: Set data pointer to the allocated memory buffer */69 data = dataBuffer;70 }71 {72 wchar_t dest[100];73 wmemset(dest, L'C', 100-1); /* fill with 'C's */74 dest[100-1] = L'\0'; /* null terminate */75 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */76 memmove(dest, data, 100*sizeof(wchar_t));77 /* Ensure null termination */78 dest[100-1] = L'\0';79 printWLine(dest);80 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location81 * returned by new [] so can't safely call delete [] on it */82 }83}8485void good()86{87 goodG2B();88}8990#endif /* OMITGOOD */9192} /* close namespace */9394/* Below is the main(). It is only used when building this testcase on95 its own for testing or for building a binary to use in testing binary96 analysis tools. It is not used when compiling all the testcases as one97 application, which is how source code analysis tools are tested. */9899#ifdef INCLUDEMAIN100101using namespace CWE127_Buffer_Underread__new_wchar_t_memmove_18; /* so that we can use good and bad easily */102103int main(int argc, char * argv[])104{105 /* seed randomness */106 srand( (unsigned)time(NULL) );107#ifndef OMITGOOD108 printLine("Calling good()...");109 good();110 printLine("Finished good()");111#endif /* OMITGOOD */112#ifndef OMITBAD113 printLine("Calling bad()...");114 bad();115 printLine("Finished bad()");116#endif /* OMITBAD */117 return 0;118}119120#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_05.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml4Template File: sources-sink-05.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory without using sizeof(int)10 * GoodSource: Allocate memory using sizeof(int)11 * Sink: memmove12 * BadSink : Copy array to data using memmove()13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819/* The two variables below are not defined as "const", but are never20 * assigned any other value, so a tool should be able to identify that21 * reads of these will always return their initialized values.22 */23static int staticTrue = 1; /* true */24static int staticFalse = 0; /* false */2526#ifndef OMITBAD2728void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_05_bad()29{✓ 30 int * data;✓ 31 data = NULL;✓ 32 if(staticTrue)33 {34 /* FLAW: Allocate memory without using sizeof(int) */✓ 35 data = (int *)malloc(10);✓ 36 if (data == NULL) {exit(-1);}37 }38 {✓ 39 int source[10] = {0};40 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */✓ 41 memmove(data, source, 10*sizeof(int));❗VULN✓ 42 printIntLine(data[0]);✓ 43 free(data);44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */52static void goodG2B1()53{54 int * data;55 data = NULL;56 if(staticFalse)57 {58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */59 printLine("Benign, fixed string");60 }61 else62 {63 /* FIX: Allocate memory using sizeof(int) */64 data = (int *)malloc(10*sizeof(int));65 if (data == NULL) {exit(-1);}66 }67 {68 int source[10] = {0};69 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */70 memmove(data, source, 10*sizeof(int));71 printIntLine(data[0]);72 free(data);73 }74}7576/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */77static void goodG2B2()78{79 int * data;80 data = NULL;81 if(staticTrue)82 {83 /* FIX: Allocate memory using sizeof(int) */84 data = (int *)malloc(10*sizeof(int));85 if (data == NULL) {exit(-1);}86 }87 {88 int source[10] = {0};89 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */90 memmove(data, source, 10*sizeof(int));91 printIntLine(data[0]);92 free(data);93 }94}9596void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_05_good()97{98 goodG2B1();99 goodG2B2();100}101102#endif /* OMITGOOD */103104/* Below is the main(). It is only used when building this testcase on105 * its own for testing or for building a binary to use in testing binary106 * analysis tools. It is not used when compiling all the testcases as one107 * application, which is how source code analysis tools are tested.108 */109110#ifdef INCLUDEMAIN111112int main(int argc, char * argv[])113{114 /* seed randomness */115 srand( (unsigned)time(NULL) );116#ifndef OMITGOOD117 printLine("Calling good()...");118 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_05_good();119 printLine("Finished good()");120#endif /* OMITGOOD */121#ifndef OMITBAD122 printLine("Calling bad()...");123 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_05_bad();124 printLine("Finished bad()");125#endif /* OMITBAD */126 return 0;127}128129#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_loop_02.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml4Template File: sources-sink-02.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sink: loop12 * BadSink : Copy array to data using a loop13 * Flow Variant: 02 Control flow: if(1) and if(0)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526#ifndef OMITBAD2728void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_loop_02_bad()29{✓ 30 char * data;✓ 31 data = NULL;✓ 32 if(1)33 {34 /* FLAW: Did not leave space for a null terminator */✓ 35 data = (char *)malloc(10*sizeof(char));✓ 36 if (data == NULL) {exit(-1);}37 }38 {✓ 39 char source[10+1] = SRC_STRING;✓ 40 size_t i, sourceLen;✓ 41 sourceLen = strlen(source);42 /* Copy length + 1 to include NUL terminator from source */43 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 44 for (i = 0; i < sourceLen + 1; i++)45 {✓ 46 data[i] = source[i];❗VULN47 }✓ 48 printLine(data);✓ 49 free(data);50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */58static void goodG2B1()59{60 char * data;61 data = NULL;62 if(0)63 {64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */65 printLine("Benign, fixed string");66 }67 else68 {69 /* FIX: Allocate space for a null terminator */70 data = (char *)malloc((10+1)*sizeof(char));71 if (data == NULL) {exit(-1);}72 }73 {74 char source[10+1] = SRC_STRING;75 size_t i, sourceLen;76 sourceLen = strlen(source);77 /* Copy length + 1 to include NUL terminator from source */78 /* POTENTIAL FLAW: data may not have enough space to hold source */79 for (i = 0; i < sourceLen + 1; i++)80 {81 data[i] = source[i];82 }83 printLine(data);84 free(data);85 }86}8788/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */89static void goodG2B2()90{91 char * data;92 data = NULL;93 if(1)94 {95 /* FIX: Allocate space for a null terminator */96 data = (char *)malloc((10+1)*sizeof(char));97 if (data == NULL) {exit(-1);}98 }99 {100 char source[10+1] = SRC_STRING;101 size_t i, sourceLen;102 sourceLen = strlen(source);103 /* Copy length + 1 to include NUL terminator from source */104 /* POTENTIAL FLAW: data may not have enough space to hold source */105 for (i = 0; i < sourceLen + 1; i++)106 {107 data[i] = source[i];108 }109 printLine(data);110 free(data);111 }112}113114void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_loop_02_good()115{116 goodG2B1();117 goodG2B2();118}119120#endif /* OMITGOOD */121122/* Below is the main(). It is only used when building this testcase on123 * its own for testing or for building a binary to use in testing binary124 * analysis tools. It is not used when compiling all the testcases as one125 * application, which is how source code analysis tools are tested.126 */127128#ifdef INCLUDEMAIN129130int main(int argc, char * argv[])131{132 /* seed randomness */133 srand( (unsigned)time(NULL) );134#ifndef OMITGOOD135 printLine("Calling good()...");136 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_loop_02_good();137 printLine("Finished good()");138#endif /* OMITGOOD */139#ifndef OMITBAD140 printLine("Calling bad()...");141 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_loop_02_bad();142 printLine("Finished bad()");143#endif /* OMITBAD */144 return 0;145}146147#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 19 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_17.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-17.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 17 Control flow: for loops14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_17_bad()24{✓ 25 int i;✓ 26 char * data;✓ 27 char dataBadBuffer[50];✓ 28 char dataGoodBuffer[100];✓ 29 for(i = 0; i < 1; i++)30 {31 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination32 * buffer in various memory copying functions using a "large" source buffer. */✓ 33 data = dataBadBuffer;✓ 34 data[0] = '\0'; /* null terminate */35 }36 {✓ 37 size_t i;✓ 38 char source[100];✓ 39 memset(source, 'C', 100-1); /* fill with 'C's */✓ 40 source[100-1] = '\0'; /* null terminate */41 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 42 for (i = 0; i < 100; i++)43 {✓ 44 data[i] = source[i];❗VULN45 }✓ 46 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 47 printLine(data);48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */56static void goodG2B()57{58 int h;59 char * data;60 char dataBadBuffer[50];61 char dataGoodBuffer[100];62 for(h = 0; h < 1; h++)63 {64 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */65 data = dataGoodBuffer;66 data[0] = '\0'; /* null terminate */67 }68 {69 size_t i;70 char source[100];71 memset(source, 'C', 100-1); /* fill with 'C's */72 source[100-1] = '\0'; /* null terminate */73 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */74 for (i = 0; i < 100; i++)75 {76 data[i] = source[i];77 }78 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */79 printLine(data);80 }81}8283void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_17_good()84{85 goodG2B();86}8788#endif /* OMITGOOD */8990/* Below is the main(). It is only used when building this testcase on91 * its own for testing or for building a binary to use in testing binary92 * analysis tools. It is not used when compiling all the testcases as one93 * application, which is how source code analysis tools are tested.94 */9596#ifdef INCLUDEMAIN9798int main(int argc, char * argv[])99{100 /* seed randomness */101 srand( (unsigned)time(NULL) );102#ifndef OMITGOOD103 printLine("Calling good()...");104 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_17_good();105 printLine("Finished good()");106#endif /* OMITGOOD */107#ifndef OMITBAD108 printLine("Calling bad()...");109 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_17_bad();110 printLine("Finished bad()");111#endif /* OMITBAD */112 return 0;113}114115#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 46 | Sink Nodes: 2 predicted, 2 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* Error: Could not load file CWE123_Write_What_Where_Condition__listen_socket_34.c: File CWE123_Write_What_Where_Condition__listen_socket_34.c not found in any subfolder of /home/nimana11/Thesis/codes/VulExplainerExp-84ED_2/datasets/buffer overflow/function/testcases/CWE123_Write_What_Where_Condition */
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__char_alloca_cpy_17.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-17.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: cpy12 * BadSink : Copy data to string using strcpy13 * Flow Variant: 17 Control flow: for loops14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__char_alloca_cpy_17_bad()24{✓ 25 int i;✓ 26 char * data;✓ 27 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));✓ 28 memset(dataBuffer, 'A', 100-1);✓ 29 dataBuffer[100-1] = '\0';✓ 30 for(i = 0; i < 1; i++)31 {32 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 33 data = dataBuffer - 8;34 }35 {✓ 36 char dest[100*2];✓ 37 memset(dest, 'C', 100*2-1); /* fill with 'C's */✓ 38 dest[100*2-1] = '\0'; /* null terminate */39 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 40 strcpy(dest, data);❗VULN✓ 41 printLine(dest);42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */50static void goodG2B()51{52 int h;53 char * data;54 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));55 memset(dataBuffer, 'A', 100-1);56 dataBuffer[100-1] = '\0';57 for(h = 0; h < 1; h++)58 {59 /* FIX: Set data pointer to the allocated memory buffer */60 data = dataBuffer;61 }62 {63 char dest[100*2];64 memset(dest, 'C', 100*2-1); /* fill with 'C's */65 dest[100*2-1] = '\0'; /* null terminate */66 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */67 strcpy(dest, data);68 printLine(dest);69 }70}7172void CWE127_Buffer_Underread__char_alloca_cpy_17_good()73{74 goodG2B();75}7677#endif /* OMITGOOD */7879/* Below is the main(). It is only used when building this testcase on80 * its own for testing or for building a binary to use in testing binary81 * analysis tools. It is not used when compiling all the testcases as one82 * application, which is how source code analysis tools are tested.83 */8485#ifdef INCLUDEMAIN8687int main(int argc, char * argv[])88{89 /* seed randomness */90 srand( (unsigned)time(NULL) );91#ifndef OMITGOOD92 printLine("Calling good()...");93 CWE127_Buffer_Underread__char_alloca_cpy_17_good();94 printLine("Finished good()");95#endif /* OMITGOOD */96#ifndef OMITBAD97 printLine("Calling bad()...");98 CWE127_Buffer_Underread__char_alloca_cpy_17_bad();99 printLine("Finished bad()");100#endif /* OMITBAD */101 return 0;102}103104#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__new_wchar_t_ncpy_18.cpp3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml4Template File: sources-sink-18.tmpl.cpp5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: ncpy12 * BadSink : Copy string to data using wcsncpy13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE124_Buffer_Underwrite__new_wchar_t_ncpy_1822{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 data = NULL;✓ 30 goto source;✓ 31source:32 {✓ 33 wchar_t * dataBuffer = new wchar_t[100];✓ 34 wmemset(dataBuffer, L'A', 100-1);✓ 35 dataBuffer[100-1] = L'\0';36 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 37 data = dataBuffer - 8;38 }39 {✓ 40 wchar_t source[100];✓ 41 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 42 source[100-1] = L'\0'; /* null terminate */43 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 44 wcsncpy(data, source, 100-1);❗VULN45 /* Ensure the destination buffer is null terminated */✓ 46 data[100-1] = L'\0';✓ 47 printWLine(data);48 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location49 * returned by new [] so can't safely call delete [] on it */50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */58static void goodG2B()59{60 wchar_t * data;61 data = NULL;62 goto source;63source:64 {65 wchar_t * dataBuffer = new wchar_t[100];66 wmemset(dataBuffer, L'A', 100-1);67 dataBuffer[100-1] = L'\0';68 /* FIX: Set data pointer to the allocated memory buffer */69 data = dataBuffer;70 }71 {72 wchar_t source[100];73 wmemset(source, L'C', 100-1); /* fill with 'C's */74 source[100-1] = L'\0'; /* null terminate */75 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */76 wcsncpy(data, source, 100-1);77 /* Ensure the destination buffer is null terminated */78 data[100-1] = L'\0';79 printWLine(data);80 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location81 * returned by new [] so can't safely call delete [] on it */82 }83}8485void good()86{87 goodG2B();88}8990#endif /* OMITGOOD */9192} /* close namespace */9394/* Below is the main(). It is only used when building this testcase on95 its own for testing or for building a binary to use in testing binary96 analysis tools. It is not used when compiling all the testcases as one97 application, which is how source code analysis tools are tested. */9899#ifdef INCLUDEMAIN100101using namespace CWE124_Buffer_Underwrite__new_wchar_t_ncpy_18; /* so that we can use good and bad easily */102103int main(int argc, char * argv[])104{105 /* seed randomness */106 srand( (unsigned)time(NULL) );107#ifndef OMITGOOD108 printLine("Calling good()...");109 good();110 printLine("Finished good()");111#endif /* OMITGOOD */112#ifndef OMITBAD113 printLine("Calling bad()...");114 bad();115 printLine("Finished bad()");116#endif /* OMITBAD */117 return 0;118}119120#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__CWE839_fgets_22b.c3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml4Template File: sources-sinks-22b.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: fgets Read data from the console using fgets()10 * GoodSource: Non-negative but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the lower bound14 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.15 *16 * */1718#include "std_testcase.h"1920#ifndef OMITBAD2122/* The global variable below is used to drive control flow in the sink function */23extern int CWE124_Buffer_Underwrite__CWE839_fgets_22_badGlobal;24✓ 25void CWE124_Buffer_Underwrite__CWE839_fgets_22_badSink(int data)26{✓ 27 if(CWE124_Buffer_Underwrite__CWE839_fgets_22_badGlobal)28 {29 {✓ 30 int i;✓ 31 int buffer[10] = { 0 };32 /* POTENTIAL FLAW: Attempt to access a negative index of the array33 * This code does not check to see if the array index is negative */✓ 34 if (data < 10)35 {✓ 36 buffer[data] = 1;❗VULN37 /* Print the array values */✓ 38 for(i = 0; i < 10; i++)39 {✓ 40 printIntLine(buffer[i]);41 }42 }43 else44 {✓ 45 printLine("ERROR: Array index is negative.");46 }47 }48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* The global variables below are used to drive control flow in the sink functions. */56extern int CWE124_Buffer_Underwrite__CWE839_fgets_22_goodB2G1Global;57extern int CWE124_Buffer_Underwrite__CWE839_fgets_22_goodB2G2Global;58extern int CWE124_Buffer_Underwrite__CWE839_fgets_22_goodG2BGlobal;5960/* goodB2G1() - use badsource and goodsink by setting the static variable to false instead of true */61void CWE124_Buffer_Underwrite__CWE839_fgets_22_goodB2G1Sink(int data)62{63 if(CWE124_Buffer_Underwrite__CWE839_fgets_22_goodB2G1Global)64 {65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */66 printLine("Benign, fixed string");67 }68 else69 {70 {71 int i;72 int buffer[10] = { 0 };73 /* FIX: Properly validate the array index and prevent a buffer underwrite */74 if (data >= 0 && data < (10))75 {76 buffer[data] = 1;77 /* Print the array values */78 for(i = 0; i < 10; i++)79 {80 printIntLine(buffer[i]);81 }82 }83 else84 {85 printLine("ERROR: Array index is out-of-bounds");86 }87 }88 }89}9091/* goodB2G2() - use badsource and goodsink by reversing the blocks in the if in the sink function */92void CWE124_Buffer_Underwrite__CWE839_fgets_22_goodB2G2Sink(int data)93{94 if(CWE124_Buffer_Underwrite__CWE839_fgets_22_goodB2G2Global)95 {96 {97 int i;98 int buffer[10] = { 0 };99 /* FIX: Properly validate the array index and prevent a buffer underwrite */100 if (data >= 0 && data < (10))101 {102 buffer[data] = 1;103 /* Print the array values */104 for(i = 0; i < 10; i++)105 {106 printIntLine(buffer[i]);107 }108 }109 else110 {111 printLine("ERROR: Array index is out-of-bounds");112 }113 }114 }115}116117/* goodG2B() - use goodsource and badsink */118void CWE124_Buffer_Underwrite__CWE839_fgets_22_goodG2BSink(int data)119{120 if(CWE124_Buffer_Underwrite__CWE839_fgets_22_goodG2BGlobal)121 {122 {123 int i;124 int buffer[10] = { 0 };125 /* POTENTIAL FLAW: Attempt to access a negative index of the array126 * This code does not check to see if the array index is negative */127 if (data < 10)128 {129 buffer[data] = 1;130 /* Print the array values */131 for(i = 0; i < 10; i++)132 {133 printIntLine(buffer[i]);134 }135 }136 else137 {138 printLine("ERROR: Array index is negative.");139 }140 }141 }142}143144#endif /* OMITGOOD */
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_snprintf_42.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml4Template File: sources-sink-42.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: snprintf12 * BadSink : Copy string to data using snprintf13 * Flow Variant: 42 Data flow: data returned from one function to another in the same source file14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snprintf23#else24#define SNPRINTF snprintf25#endif2627#ifndef OMITBAD2829static char * badSource(char * data)30{31 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */32 data = (char *)malloc(50*sizeof(char));33 if (data == NULL) {exit(-1);}34 data[0] = '\0'; /* null terminate */35 return data;36}3738void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_snprintf_42_bad()39{✓ 40 char * data;✓ 41 data = NULL;✓ 42 data = badSource(data);43 {✓ 44 char source[100];✓ 45 memset(source, 'C', 100-1); /* fill with 'C's */✓ 46 source[100-1] = '\0'; /* null terminate */47 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 48 SNPRINTF(data, 100, "%s", source);❗VULN✓ 49 printLine(data);✓ 50 free(data);51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758static char * goodG2BSource(char * data)59{60 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */61 data = (char *)malloc(100*sizeof(char));62 if (data == NULL) {exit(-1);}63 data[0] = '\0'; /* null terminate */64 return data;65}6667/* goodG2B uses the GoodSource with the BadSink */68static void goodG2B()69{70 char * data;71 data = NULL;72 data = goodG2BSource(data);73 {74 char source[100];75 memset(source, 'C', 100-1); /* fill with 'C's */76 source[100-1] = '\0'; /* null terminate */77 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */78 SNPRINTF(data, 100, "%s", source);79 printLine(data);80 free(data);81 }82}8384void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_snprintf_42_good()85{86 goodG2B();87}8889#endif /* OMITGOOD */9091/* Below is the main(). It is only used when building this testcase on92 * its own for testing or for building a binary to use in testing binary93 * analysis tools. It is not used when compiling all the testcases as one94 * application, which is how source code analysis tools are tested.95 */9697#ifdef INCLUDEMAIN9899int main(int argc, char * argv[])100{101 /* seed randomness */102 srand( (unsigned)time(NULL) );103#ifndef OMITGOOD104 printLine("Calling good()...");105 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_snprintf_42_good();106 printLine("Finished good()");107#endif /* OMITGOOD */108#ifndef OMITBAD109 printLine("Calling bad()...");110 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_snprintf_42_bad();111 printLine("Finished bad()");112#endif /* OMITBAD */113 return 0;114}115116#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__char_declare_cpy_16.c3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml4Template File: sources-sink-16.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: cpy12 * BadSink : Copy string to data using strcpy13 * Flow Variant: 16 Control flow: while(1)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__char_declare_cpy_16_bad()24{✓ 25 char * data;✓ 26 char dataBuffer[100];✓ 27 memset(dataBuffer, 'A', 100-1);✓ 28 dataBuffer[100-1] = '\0';✓ 29 while(1)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;✓ 33 break;34 }35 {✓ 36 char source[100];✓ 37 memset(source, 'C', 100-1); /* fill with 'C's */✓ 38 source[100-1] = '\0'; /* null terminate */39 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 40 strcpy(data, source);❗VULN✓ 41 printLine(data);42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */50static void goodG2B()51{52 char * data;53 char dataBuffer[100];54 memset(dataBuffer, 'A', 100-1);55 dataBuffer[100-1] = '\0';56 while(1)57 {58 /* FIX: Set data pointer to the allocated memory buffer */59 data = dataBuffer;60 break;61 }62 {63 char source[100];64 memset(source, 'C', 100-1); /* fill with 'C's */65 source[100-1] = '\0'; /* null terminate */66 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */67 strcpy(data, source);68 printLine(data);69 }70}7172void CWE124_Buffer_Underwrite__char_declare_cpy_16_good()73{74 goodG2B();75}7677#endif /* OMITGOOD */7879/* Below is the main(). It is only used when building this testcase on80 * its own for testing or for building a binary to use in testing binary81 * analysis tools. It is not used when compiling all the testcases as one82 * application, which is how source code analysis tools are tested.83 */8485#ifdef INCLUDEMAIN8687int main(int argc, char * argv[])88{89 /* seed randomness */90 srand( (unsigned)time(NULL) );91#ifndef OMITGOOD92 printLine("Calling good()...");93 CWE124_Buffer_Underwrite__char_declare_cpy_16_good();94 printLine("Finished good()");95#endif /* OMITGOOD */96#ifndef OMITBAD97 printLine("Calling bad()...");98 CWE124_Buffer_Underwrite__char_declare_cpy_16_bad();99 printLine("Finished bad()");100#endif /* OMITBAD */101 return 0;102}103104#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_32.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-32.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: memmove12 * BadSink : Copy string to data using memmove13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_3222{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 wchar_t * *dataPtr1 = &data;✓ 30 wchar_t * *dataPtr2 = &data;✓ 31 data = NULL;32 {✓ 33 wchar_t * data = *dataPtr1;34 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 35 data = new wchar_t[50];✓ 36 data[0] = L'\0'; /* null terminate */✓ 37 *dataPtr1 = data;38 }39 {✓ 40 wchar_t * data = *dataPtr2;41 {✓ 42 wchar_t source[100];✓ 43 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 44 source[100-1] = L'\0'; /* null terminate */45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 46 memmove(data, source, 100*sizeof(wchar_t));❗VULN✓ 47 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 48 printWLine(data);✓ 49 delete [] data;50 }51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B() uses the GoodSource with the BadSink */59static void goodG2B()60{61 wchar_t * data;62 wchar_t * *dataPtr1 = &data;63 wchar_t * *dataPtr2 = &data;64 data = NULL;65 {66 wchar_t * data = *dataPtr1;67 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */68 data = new wchar_t[100];69 data[0] = L'\0'; /* null terminate */70 *dataPtr1 = data;71 }72 {73 wchar_t * data = *dataPtr2;74 {75 wchar_t source[100];76 wmemset(source, L'C', 100-1); /* fill with L'C's */77 source[100-1] = L'\0'; /* null terminate */78 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */79 memmove(data, source, 100*sizeof(wchar_t));80 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */81 printWLine(data);82 delete [] data;83 }84 }85}8687void good()88{89 goodG2B();90}9192#endif /* OMITGOOD */9394} /* close namespace */9596/* Below is the main(). It is only used when building this testcase on97 its own for testing or for building a binary to use in testing binary98 analysis tools. It is not used when compiling all the testcases as one99 application, which is how source code analysis tools are tested. */100#ifdef INCLUDEMAIN101102using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_32; /* so that we can use good and bad easily */103104int main(int argc, char * argv[])105{106 /* seed randomness */107 srand( (unsigned)time(NULL) );108#ifndef OMITGOOD109 printLine("Calling good()...");110 good();111 printLine("Finished good()");112#endif /* OMITGOOD */113#ifndef OMITBAD114 printLine("Calling bad()...");115 bad();116 printLine("Finished bad()");117#endif /* OMITBAD */118 return 0;119}120121#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_07.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory without using sizeof(int)10 * GoodSource: Allocate memory using sizeof(int)11 * Sink: loop12 * BadSink : Copy array to data using a loop13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819/* The variable below is not declared "const", but is never assigned20 * any other value so a tool should be able to identify that reads of21 * this will always give its initialized value.22 */23static int staticFive = 5;2425#ifndef OMITBAD2627void CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_07_bad()28{✓ 29 int * data;✓ 30 data = NULL;✓ 31 if(staticFive==5)32 {33 /* FLAW: Allocate memory without using sizeof(int) */✓ 34 data = (int *)malloc(10);✓ 35 if (data == NULL) {exit(-1);}36 }37 {✓ 38 int source[10] = {0};✓ 39 size_t i;40 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */✓ 41 for (i = 0; i < 10; i++)42 {✓ 43 data[i] = source[i];❗VULN44 }✓ 45 printIntLine(data[0]);✓ 46 free(data);47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */55static void goodG2B1()56{57 int * data;58 data = NULL;59 if(staticFive!=5)60 {61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */62 printLine("Benign, fixed string");63 }64 else65 {66 /* FIX: Allocate memory using sizeof(int) */67 data = (int *)malloc(10*sizeof(int));68 if (data == NULL) {exit(-1);}69 }70 {71 int source[10] = {0};72 size_t i;73 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */74 for (i = 0; i < 10; i++)75 {76 data[i] = source[i];77 }78 printIntLine(data[0]);79 free(data);80 }81}8283/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */84static void goodG2B2()85{86 int * data;87 data = NULL;88 if(staticFive==5)89 {90 /* FIX: Allocate memory using sizeof(int) */91 data = (int *)malloc(10*sizeof(int));92 if (data == NULL) {exit(-1);}93 }94 {95 int source[10] = {0};96 size_t i;97 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */98 for (i = 0; i < 10; i++)99 {100 data[i] = source[i];101 }102 printIntLine(data[0]);103 free(data);104 }105}106107void CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_07_good()108{109 goodG2B1();110 goodG2B2();111}112113#endif /* OMITGOOD */114115/* Below is the main(). It is only used when building this testcase on116 * its own for testing or for building a binary to use in testing binary117 * analysis tools. It is not used when compiling all the testcases as one118 * application, which is how source code analysis tools are tested.119 */120121#ifdef INCLUDEMAIN122123int main(int argc, char * argv[])124{125 /* seed randomness */126 srand( (unsigned)time(NULL) );127#ifndef OMITGOOD128 printLine("Calling good()...");129 CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_07_good();130 printLine("Finished good()");131#endif /* OMITGOOD */132#ifndef OMITBAD133 printLine("Calling bad()...");134 CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_07_bad();135 printLine("Finished bad()");136#endif /* OMITBAD */137 return 0;138}139140#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_04.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml4Template File: sources-sink-04.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: cpy12 * BadSink : Copy string to data using wcscpy13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are declared "const", so a tool should22 * be able to identify that reads of these will always return their23 * initialized values.24 */25static const int STATIC_CONST_TRUE = 1; /* true */26static const int STATIC_CONST_FALSE = 0; /* false */2728#ifndef OMITBAD2930void CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_04_bad()31{✓ 32 wchar_t * data;✓ 33 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));✓ 34 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 35 if(STATIC_CONST_TRUE)36 {37 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination38 * buffer in various memory copying functions using a "large" source buffer. */✓ 39 data = dataBadBuffer;✓ 40 data[0] = L'\0'; /* null terminate */41 }42 {✓ 43 wchar_t source[100];✓ 44 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 45 source[100-1] = L'\0'; /* null terminate */46 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 47 wcscpy(data, source);❗VULN✓ 48 printWLine(data);49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */57static void goodG2B1()58{59 wchar_t * data;60 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));61 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));62 if(STATIC_CONST_FALSE)63 {64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */65 printLine("Benign, fixed string");66 }67 else68 {69 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */70 data = dataGoodBuffer;71 data[0] = L'\0'; /* null terminate */72 }73 {74 wchar_t source[100];75 wmemset(source, L'C', 100-1); /* fill with L'C's */76 source[100-1] = L'\0'; /* null terminate */77 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */78 wcscpy(data, source);79 printWLine(data);80 }81}8283/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */84static void goodG2B2()85{86 wchar_t * data;87 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));88 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));89 if(STATIC_CONST_TRUE)90 {91 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */92 data = dataGoodBuffer;93 data[0] = L'\0'; /* null terminate */94 }95 {96 wchar_t source[100];97 wmemset(source, L'C', 100-1); /* fill with L'C's */98 source[100-1] = L'\0'; /* null terminate */99 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */100 wcscpy(data, source);101 printWLine(data);102 }103}104105void CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_04_good()106{107 goodG2B1();108 goodG2B2();109}110111#endif /* OMITGOOD */112113/* Below is the main(). It is only used when building this testcase on114 * its own for testing or for building a binary to use in testing binary115 * analysis tools. It is not used when compiling all the testcases as one116 * application, which is how source code analysis tools are tested.117 */118119#ifdef INCLUDEMAIN120121int main(int argc, char * argv[])122{123 /* seed randomness */124 srand( (unsigned)time(NULL) );125#ifndef OMITGOOD126 printLine("Calling good()...");127 CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_04_good();128 printLine("Finished good()");129#endif /* OMITGOOD */130#ifndef OMITBAD131 printLine("Calling bad()...");132 CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_04_bad();133 printLine("Finished bad()");134#endif /* OMITBAD */135 return 0;136}137138#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_cpy_32.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml4Template File: sources-sink-32.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Point data to a buffer that does not have space for a NULL terminator10 * GoodSource: Point data to a buffer that includes space for a NULL terminator11 * Sink: cpy12 * BadSink : Copy string to data using wcscpy()13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING L"AAAAAAAAAA"2526#ifndef OMITBAD2728void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_cpy_32_bad()29{✓ 30 wchar_t * data;✓ 31 wchar_t * *dataPtr1 = &data;✓ 32 wchar_t * *dataPtr2 = &data;✓ 33 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));✓ 34 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));35 {✓ 36 wchar_t * data = *dataPtr1;37 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing38 * string copies in the sinks */✓ 39 data = dataBadBuffer;✓ 40 data[0] = L'\0'; /* null terminate */✓ 41 *dataPtr1 = data;42 }43 {✓ 44 wchar_t * data = *dataPtr2;45 {✓ 46 wchar_t source[10+1] = SRC_STRING;47 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 48 wcscpy(data, source);❗VULN✓ 49 printWLine(data);50 }51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B() uses the GoodSource with the BadSink */59static void goodG2B()60{61 wchar_t * data;62 wchar_t * *dataPtr1 = &data;63 wchar_t * *dataPtr2 = &data;64 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));65 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));66 {67 wchar_t * data = *dataPtr1;68 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing69 * string copies in the sinks */70 data = dataGoodBuffer;71 data[0] = L'\0'; /* null terminate */72 *dataPtr1 = data;73 }74 {75 wchar_t * data = *dataPtr2;76 {77 wchar_t source[10+1] = SRC_STRING;78 /* POTENTIAL FLAW: data may not have enough space to hold source */79 wcscpy(data, source);80 printWLine(data);81 }82 }83}8485void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_cpy_32_good()86{87 goodG2B();88}8990#endif /* OMITGOOD */9192/* Below is the main(). It is only used when building this testcase on93 * its own for testing or for building a binary to use in testing binary94 * analysis tools. It is not used when compiling all the testcases as one95 * application, which is how source code analysis tools are tested.96 */97#ifdef INCLUDEMAIN9899int main(int argc, char * argv[])100{101 /* seed randomness */102 srand( (unsigned)time(NULL) );103#ifndef OMITGOOD104 printLine("Calling good()...");105 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_cpy_32_good();106 printLine("Finished good()");107#endif /* OMITGOOD */108#ifndef OMITBAD109 printLine("Calling bad()...");110 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_cpy_32_bad();111 printLine("Finished bad()");112#endif /* OMITBAD */113 return 0;114}115116#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_21.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml4Template File: sources-sink-21.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: ncat12 * BadSink : Copy string to data using strncat13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223/* The static variable below is used to drive control flow in the source function */24static int badStatic = 0;2526static char * badSource(char * data)27{28 if(badStatic)29 {30 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */31 data = (char *)malloc(50*sizeof(char));32 if (data == NULL) {exit(-1);}33 data[0] = '\0'; /* null terminate */34 }35 return data;36}3738void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_21_bad()39{✓ 40 char * data;✓ 41 data = NULL;✓ 42 badStatic = 1; /* true */✓ 43 data = badSource(data);44 {✓ 45 char source[100];✓ 46 memset(source, 'C', 100-1); /* fill with 'C's */✓ 47 source[100-1] = '\0'; /* null terminate */48 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */✓ 49 strncat(data, source, 100);❗VULN✓ 50 printLine(data);✓ 51 free(data);52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* The static variables below are used to drive control flow in the source functions. */60static int goodG2B1Static = 0;61static int goodG2B2Static = 0;6263/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */64static char * goodG2B1Source(char * data)65{66 if(goodG2B1Static)67 {68 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */69 printLine("Benign, fixed string");70 }71 else72 {73 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */74 data = (char *)malloc(100*sizeof(char));75 if (data == NULL) {exit(-1);}76 data[0] = '\0'; /* null terminate */77 }78 return data;79}8081static void goodG2B1()82{83 char * data;84 data = NULL;85 goodG2B1Static = 0; /* false */86 data = goodG2B1Source(data);87 {88 char source[100];89 memset(source, 'C', 100-1); /* fill with 'C's */90 source[100-1] = '\0'; /* null terminate */91 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */92 strncat(data, source, 100);93 printLine(data);94 free(data);95 }96}9798/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */99static char * goodG2B2Source(char * data)100{101 if(goodG2B2Static)102 {103 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */104 data = (char *)malloc(100*sizeof(char));105 if (data == NULL) {exit(-1);}106 data[0] = '\0'; /* null terminate */107 }108 return data;109}110111static void goodG2B2()112{113 char * data;114 data = NULL;115 goodG2B2Static = 1; /* true */116 data = goodG2B2Source(data);117 {118 char source[100];119 memset(source, 'C', 100-1); /* fill with 'C's */120 source[100-1] = '\0'; /* null terminate */121 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */122 strncat(data, source, 100);123 printLine(data);124 free(data);125 }126}127128void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_21_good()129{130 goodG2B1();131 goodG2B2();132}133134#endif /* OMITGOOD */135136/* Below is the main(). It is only used when building this testcase on137 * its own for testing or for building a binary to use in testing binary138 * analysis tools. It is not used when compiling all the testcases as one139 * application, which is how source code analysis tools are tested.140 */141142#ifdef INCLUDEMAIN143144int main(int argc, char * argv[])145{146 /* seed randomness */147 srand( (unsigned)time(NULL) );148#ifndef OMITGOOD149 printLine("Calling good()...");150 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_21_good();151 printLine("Finished good()");152#endif /* OMITGOOD */153#ifndef OMITBAD154 printLine("Calling bad()...");155 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_21_bad();156 printLine("Finished bad()");157#endif /* OMITBAD */158 return 0;159}160161#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 27 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__CWE839_fgets_12.c3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml4Template File: sources-sinks-12.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: fgets Read data from the console using fgets()10 * GoodSource: Non-negative but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the lower bound14 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())15 *16 * */1718#include "std_testcase.h"1920#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)2122#ifndef OMITBAD2324void CWE124_Buffer_Underwrite__CWE839_fgets_12_bad()25{✓ 26 int data;27 /* Initialize data */✓ 28 data = -1;✓ 29 if(globalReturnsTrueOrFalse())30 {31 {✓ 32 char inputBuffer[CHAR_ARRAY_SIZE] = "";33 /* POTENTIAL FLAW: Read data from the console using fgets() */✓ 34 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)35 {36 /* Convert to int */✓ 37 data = atoi(inputBuffer);38 }39 else40 {✓ 41 printLine("fgets() failed.");42 }43 }44 }45 else46 {47 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to48 * access an index of the array in the sink that is out-of-bounds */✓ 49 data = 7;50 }✓ 51 if(globalReturnsTrueOrFalse())52 {53 {✓ 54 int i;✓ 55 int buffer[10] = { 0 };56 /* POTENTIAL FLAW: Attempt to access a negative index of the array57 * This code does not check to see if the array index is negative */✓ 58 if (data < 10)59 {✓ 60 buffer[data] = 1;❗VULN61 /* Print the array values */✓ 62 for(i = 0; i < 10; i++)63 {✓ 64 printIntLine(buffer[i]);65 }66 }67 else68 {✓ 69 printLine("ERROR: Array index is negative.");70 }71 }72 }73 else74 {75 {✓ 76 int i;✓ 77 int buffer[10] = { 0 };78 /* FIX: Properly validate the array index and prevent a buffer underwrite */✓ 79 if (data >= 0 && data < (10))80 {✓ 81 buffer[data] = 1;82 /* Print the array values */✓ 83 for(i = 0; i < 10; i++)84 {✓ 85 printIntLine(buffer[i]);86 }87 }88 else89 {✓ 90 printLine("ERROR: Array index is out-of-bounds");91 }92 }93 }94}9596#endif /* OMITBAD */9798#ifndef OMITGOOD99100/* goodB2G() - use badsource and goodsink by changing the first "if" so that101 both branches use the BadSource and the second "if" so that both branches102 use the GoodSink */103static void goodB2G()104{105 int data;106 /* Initialize data */107 data = -1;108 if(globalReturnsTrueOrFalse())109 {110 {111 char inputBuffer[CHAR_ARRAY_SIZE] = "";112 /* POTENTIAL FLAW: Read data from the console using fgets() */113 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)114 {115 /* Convert to int */116 data = atoi(inputBuffer);117 }118 else119 {120 printLine("fgets() failed.");121 }122 }123 }124 else125 {126 {127 char inputBuffer[CHAR_ARRAY_SIZE] = "";128 /* POTENTIAL FLAW: Read data from the console using fgets() */129 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)130 {131 /* Convert to int */132 data = atoi(inputBuffer);133 }134 else135 {136 printLine("fgets() failed.");137 }138 }139 }140 if(globalReturnsTrueOrFalse())141 {142 {143 int i;144 int buffer[10] = { 0 };145 /* FIX: Properly validate the array index and prevent a buffer underwrite */146 if (data >= 0 && data < (10))147 {148 buffer[data] = 1;149 /* Print the array values */150 for(i = 0; i < 10; i++)151 {152 printIntLine(buffer[i]);153 }154 }155 else156 {157 printLine("ERROR: Array index is out-of-bounds");158 }159 }160 }161 else162 {163 {164 int i;165 int buffer[10] = { 0 };166 /* FIX: Properly validate the array index and prevent a buffer underwrite */167 if (data >= 0 && data < (10))168 {169 buffer[data] = 1;170 /* Print the array values */171 for(i = 0; i < 10; i++)172 {173 printIntLine(buffer[i]);174 }175 }176 else177 {178 printLine("ERROR: Array index is out-of-bounds");179 }180 }181 }182}183184/* goodG2B() - use goodsource and badsink by changing the first "if" so that185 both branches use the GoodSource and the second "if" so that both branches186 use the BadSink */187static void goodG2B()188{189 int data;190 /* Initialize data */191 data = -1;192 if(globalReturnsTrueOrFalse())193 {194 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to195 * access an index of the array in the sink that is out-of-bounds */196 data = 7;197 }198 else199 {200 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to201 * access an index of the array in the sink that is out-of-bounds */202 data = 7;203 }204 if(globalReturnsTrueOrFalse())205 {206 {207 int i;208 int buffer[10] = { 0 };209 /* POTENTIAL FLAW: Attempt to access a negative index of the array210 * This code does not check to see if the array index is negative */211 if (data < 10)212 {213 buffer[data] = 1;214 /* Print the array values */215 for(i = 0; i < 10; i++)216 {217 printIntLine(buffer[i]);218 }219 }220 else221 {222 printLine("ERROR: Array index is negative.");223 }224 }225 }226 else227 {228 {229 int i;230 int buffer[10] = { 0 };231 /* POTENTIAL FLAW: Attempt to access a negative index of the array232 * This code does not check to see if the array index is negative */233 if (data < 10)234 {235 buffer[data] = 1;236 /* Print the array values */237 for(i = 0; i < 10; i++)238 {239 printIntLine(buffer[i]);240 }241 }242 else243 {244 printLine("ERROR: Array index is negative.");245 }246 }247 }248}249250void CWE124_Buffer_Underwrite__CWE839_fgets_12_good()251{252 goodB2G();253 goodG2B();254}255256#endif /* OMITGOOD */257258/* Below is the main(). It is only used when building this testcase on259 its own for testing or for building a binary to use in testing binary260 analysis tools. It is not used when compiling all the testcases as one261 application, which is how source code analysis tools are tested. */262263#ifdef INCLUDEMAIN264265int main(int argc, char * argv[])266{267 /* seed randomness */268 srand( (unsigned)time(NULL) );269#ifndef OMITGOOD270 printLine("Calling good()...");271 CWE124_Buffer_Underwrite__CWE839_fgets_12_good();272 printLine("Finished good()");273#endif /* OMITGOOD */274#ifndef OMITBAD275 printLine("Calling bad()...");276 CWE124_Buffer_Underwrite__CWE839_fgets_12_bad();277 printLine("Finished bad()");278#endif /* OMITBAD */279 return 0;280}281282#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_18.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml4Template File: sources-sink-18.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: snprintf12 * BadSink : Copy data to string using snprintf13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snprintf23#else24#define SNPRINTF snprintf25#endif2627#ifndef OMITBAD2829void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_18_bad()30{✓ 31 char * data;✓ 32 data = (char *)malloc(100*sizeof(char));✓ 33 if (data == NULL) {exit(-1);}✓ 34 goto source;✓ 35source:36 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 37 memset(data, 'A', 100-1); /* fill with 'A's */✓ 38 data[100-1] = '\0'; /* null terminate */39 {✓ 40 char dest[50] = "";41 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 42 SNPRINTF(dest, strlen(data), "%s", data);❗VULN✓ 43 printLine(data);✓ 44 free(data);45 }46}4748#endif /* OMITBAD */4950#ifndef OMITGOOD5152/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */53static void goodG2B()54{55 char * data;56 data = (char *)malloc(100*sizeof(char));57 if (data == NULL) {exit(-1);}58 goto source;59source:60 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */61 memset(data, 'A', 50-1); /* fill with 'A's */62 data[50-1] = '\0'; /* null terminate */63 {64 char dest[50] = "";65 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */66 SNPRINTF(dest, strlen(data), "%s", data);67 printLine(data);68 free(data);69 }70}7172void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_18_good()73{74 goodG2B();75}7677#endif /* OMITGOOD */7879/* Below is the main(). It is only used when building this testcase on80 * its own for testing or for building a binary to use in testing binary81 * analysis tools. It is not used when compiling all the testcases as one82 * application, which is how source code analysis tools are tested.83 */8485#ifdef INCLUDEMAIN8687int main(int argc, char * argv[])88{89 /* seed randomness */90 srand( (unsigned)time(NULL) );91#ifndef OMITGOOD92 printLine("Calling good()...");93 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_18_good();94 printLine("Finished good()");95#endif /* OMITGOOD */96#ifndef OMITBAD97 printLine("Calling bad()...");98 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_18_bad();99 printLine("Finished bad()");100#endif /* OMITBAD */101 return 0;102}103104#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_02.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-02.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 02 Control flow: if(1) and if(0)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_02_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 27 data = dataBuffer;✓ 28 if(1)29 {30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 31 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 32 data[100-1] = L'\0'; /* null terminate */33 }34 {✓ 35 wchar_t dest[50] = L"";36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 37 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN✓ 38 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 39 printWLine(data);40 }41}4243#endif /* OMITBAD */4445#ifndef OMITGOOD4647/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */48static void goodG2B1()49{50 wchar_t * data;51 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));52 data = dataBuffer;53 if(0)54 {55 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */56 printLine("Benign, fixed string");57 }58 else59 {60 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */61 wmemset(data, L'A', 50-1); /* fill with L'A's */62 data[50-1] = L'\0'; /* null terminate */63 }64 {65 wchar_t dest[50] = L"";66 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */67 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));68 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */69 printWLine(data);70 }71}7273/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */74static void goodG2B2()75{76 wchar_t * data;77 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));78 data = dataBuffer;79 if(1)80 {81 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */82 wmemset(data, L'A', 50-1); /* fill with L'A's */83 data[50-1] = L'\0'; /* null terminate */84 }85 {86 wchar_t dest[50] = L"";87 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */88 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));89 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */90 printWLine(data);91 }92}9394void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_02_good()95{96 goodG2B1();97 goodG2B2();98}99100#endif /* OMITGOOD */101102/* Below is the main(). It is only used when building this testcase on103 * its own for testing or for building a binary to use in testing binary104 * analysis tools. It is not used when compiling all the testcases as one105 * application, which is how source code analysis tools are tested.106 */107108#ifdef INCLUDEMAIN109110int main(int argc, char * argv[])111{112 /* seed randomness */113 srand( (unsigned)time(NULL) );114#ifndef OMITGOOD115 printLine("Calling good()...");116 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_02_good();117 printLine("Finished good()");118#endif /* OMITGOOD */119#ifndef OMITBAD120 printLine("Calling bad()...");121 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_02_bad();122 printLine("Finished bad()");123#endif /* OMITBAD */124 return 0;125}126127#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__CWE129_fscanf_33.cpp3Label Definition File: CWE126_Buffer_Overread__CWE129.label.xml4Template File: sources-sinks-33.tmpl.cpp5*/6/*7 * @description8 * CWE: 126 Buffer Overread9 * BadSource: fscanf Read data from the console using fscanf()10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function15 *16 * */1718#include "std_testcase.h"1920namespace CWE126_Buffer_Overread__CWE129_fscanf_3321{2223#ifndef OMITBAD2425void bad()26{✓ 27 int data;✓ 28 int &dataRef = data;29 /* Initialize data */✓ 30 data = -1;31 /* POTENTIAL FLAW: Read data from the console using fscanf() */✓ 32 fscanf(stdin, "%d", &data);33 {✓ 34 int data = dataRef;35 {✓ 36 int buffer[10] = { 0 };37 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound38 * This check does not check the upper bounds of the array index */✓ 39 if (data >= 0)40 {✓ 41 printIntLine(buffer[data]);❗VULN42 }43 else44 {✓ 45 printLine("ERROR: Array index is negative");46 }47 }48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B() uses the GoodSource with the BadSink */56static void goodG2B()57{58 int data;59 int &dataRef = data;60 /* Initialize data */61 data = -1;62 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to63 * access an index of the array in the sink that is out-of-bounds */64 data = 7;65 {66 int data = dataRef;67 {68 int buffer[10] = { 0 };69 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound70 * This check does not check the upper bounds of the array index */71 if (data >= 0)72 {73 printIntLine(buffer[data]);74 }75 else76 {77 printLine("ERROR: Array index is negative");78 }79 }80 }81}8283/* goodB2G() uses the BadSource with the GoodSink */84static void goodB2G()85{86 int data;87 int &dataRef = data;88 /* Initialize data */89 data = -1;90 /* POTENTIAL FLAW: Read data from the console using fscanf() */91 fscanf(stdin, "%d", &data);92 {93 int data = dataRef;94 {95 int buffer[10] = { 0 };96 /* FIX: Properly validate the array index and prevent a buffer overread */97 if (data >= 0 && data < (10))98 {99 printIntLine(buffer[data]);100 }101 else102 {103 printLine("ERROR: Array index is out-of-bounds");104 }105 }106 }107}108109void good()110{111 goodG2B();112 goodB2G();113}114115#endif /* OMITGOOD */116117} /* close namespace */118119/* Below is the main(). It is only used when building this testcase on120 its own for testing or for building a binary to use in testing binary121 analysis tools. It is not used when compiling all the testcases as one122 application, which is how source code analysis tools are tested. */123#ifdef INCLUDEMAIN124125using namespace CWE126_Buffer_Overread__CWE129_fscanf_33; /* so that we can use good and bad easily */126127int main(int argc, char * argv[])128{129 /* seed randomness */130 srand( (unsigned)time(NULL) );131#ifndef OMITGOOD132 printLine("Calling good()...");133 good();134 printLine("Finished good()");135#endif /* OMITGOOD */136#ifndef OMITBAD137 printLine("Calling bad()...");138 bad();139 printLine("Finished bad()");140#endif /* OMITBAD */141 return 0;142}143144#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_ncat_31.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-31.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sinks: ncat12 * BadSink : Copy data to string using wcsncat13 * Flow Variant: 31 Data flow using a copy of data within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_ncat_31_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 27 data = dataBuffer;28 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 29 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 30 data[100-1] = L'\0'; /* null terminate */31 {✓ 32 wchar_t * dataCopy = data;✓ 33 wchar_t * data = dataCopy;34 {✓ 35 wchar_t dest[50] = L"";36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/✓ 37 wcsncat(dest, data, wcslen(data));❗VULN✓ 38 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 39 printWLine(data);40 }41 }42}4344#endif /* OMITBAD */4546#ifndef OMITGOOD4748/* goodG2B() uses the GoodSource with the BadSink */49static void goodG2B()50{51 wchar_t * data;52 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));53 data = dataBuffer;54 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */55 wmemset(data, L'A', 50-1); /* fill with L'A's */56 data[50-1] = L'\0'; /* null terminate */57 {58 wchar_t * dataCopy = data;59 wchar_t * data = dataCopy;60 {61 wchar_t dest[50] = L"";62 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/63 wcsncat(dest, data, wcslen(data));64 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */65 printWLine(data);66 }67 }68}6970void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_ncat_31_good()71{72 goodG2B();73}7475#endif /* OMITGOOD */7677/* Below is the main(). It is only used when building this testcase on78 * its own for testing or for building a binary to use in testing binary79 * analysis tools. It is not used when compiling all the testcases as one80 * application, which is how source code analysis tools are tested.81 */82#ifdef INCLUDEMAIN8384int main(int argc, char * argv[])85{86 /* seed randomness */87 srand( (unsigned)time(NULL) );88#ifndef OMITGOOD89 printLine("Calling good()...");90 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_ncat_31_good();91 printLine("Finished good()");92#endif /* OMITGOOD */93#ifndef OMITBAD94 printLine("Calling bad()...");95 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_ncat_31_bad();96 printLine("Finished bad()");97#endif /* OMITBAD */98 return 0;99}100101#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 3 predicted, 2 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE135_74b.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE135.label.xml4Template File: sources-sinks-74b.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Void pointer to a wchar_t array10 * GoodSource: Void pointer to a char array11 * Sinks:12 * GoodSink: Allocate memory using wcslen() and copy data13 * BadSink : Allocate memory using strlen() and copy data14 * Flow Variant: 74 Data flow: data passed in a map from one function to another in different source files15 *16 * */1718#include "std_testcase.h"19#include <map>2021#include <wchar.h>2223using namespace std;2425namespace CWE122_Heap_Based_Buffer_Overflow__CWE135_7426{2728#ifndef OMITBAD29✓ 30void badSink(map<int, void *> dataMap)31{32 /* copy data out of dataMap */✓ 33 void * data = dataMap[2];34 {35 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */✓ 36 size_t dataLen = strlen((char *)data);❗VULN✓ 37 void * dest = (void *)calloc(dataLen+1, sizeof(wchar_t));✓ 38 if (dest == NULL) {exit(-1);}✓ 39 (void)wcscpy((wchar_t *)dest, (wchar_t *)data);❗VULN✓ 40 printLine((char *)dest);✓ 41 free(dest);42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* goodG2B uses the GoodSource with the BadSink */50void goodG2BSink(map<int, void *> dataMap)51{52 void * data = dataMap[2];53 {54 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */55 size_t dataLen = strlen((char *)data);56 void * dest = (void *)calloc(dataLen+1, 1);57 if (dest == NULL) {exit(-1);}58 (void)strcpy((char *)dest, (char *)data);59 printLine((char *)dest);60 free(dest);61 }62}6364/* goodB2G uses the BadSource with the GoodSink */65void goodB2GSink(map<int, void *> dataMap)66{67 void * data = dataMap[2];68 {69 /* FIX: treating pointer like a wchar_t* */70 size_t dataLen = wcslen((wchar_t *)data);71 void * dest = (void *)calloc(dataLen+1, sizeof(wchar_t));72 if (dest == NULL) {exit(-1);}73 (void)wcscpy((wchar_t *)dest, (wchar_t *)data);74 printWLine((wchar_t *)dest);75 free(dest);76 }77}7879#endif /* OMITGOOD */8081} /* close namespace */
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_rand_06.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml4Template File: sources-sinks-06.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: rand Set data to result of rand(), which may be zero10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)15 *16 * */1718#include "std_testcase.h"1920/* The variable below is declared "const", so a tool should be able21 to identify that reads of this will always give its initialized22 value. */23static const int STATIC_CONST_FIVE = 5;2425#ifndef OMITBAD2627void CWE121_Stack_Based_Buffer_Overflow__CWE129_rand_06_bad()28{✓ 29 int data;30 /* Initialize data */✓ 31 data = -1;✓ 32 if(STATIC_CONST_FIVE==5)33 {34 /* POTENTIAL FLAW: Set data to a random value */✓ 35 data = RAND32();36 }✓ 37 if(STATIC_CONST_FIVE==5)38 {39 {✓ 40 int i;✓ 41 int buffer[10] = { 0 };42 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound43 * This code does check to see if the array index is negative */✓ 44 if (data >= 0)45 {✓ 46 buffer[data] = 1;❗VULN47 /* Print the array values */✓ 48 for(i = 0; i < 10; i++)49 {✓ 50 printIntLine(buffer[i]);51 }52 }53 else54 {✓ 55 printLine("ERROR: Array index is negative.");56 }57 }58 }59}6061#endif /* OMITBAD */6263#ifndef OMITGOOD6465/* goodB2G1() - use badsource and goodsink by changing the second STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */66static void goodB2G1()67{68 int data;69 /* Initialize data */70 data = -1;71 if(STATIC_CONST_FIVE==5)72 {73 /* POTENTIAL FLAW: Set data to a random value */74 data = RAND32();75 }76 if(STATIC_CONST_FIVE!=5)77 {78 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */79 printLine("Benign, fixed string");80 }81 else82 {83 {84 int i;85 int buffer[10] = { 0 };86 /* FIX: Properly validate the array index and prevent a buffer overflow */87 if (data >= 0 && data < (10))88 {89 buffer[data] = 1;90 /* Print the array values */91 for(i = 0; i < 10; i++)92 {93 printIntLine(buffer[i]);94 }95 }96 else97 {98 printLine("ERROR: Array index is out-of-bounds");99 }100 }101 }102}103104/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */105static void goodB2G2()106{107 int data;108 /* Initialize data */109 data = -1;110 if(STATIC_CONST_FIVE==5)111 {112 /* POTENTIAL FLAW: Set data to a random value */113 data = RAND32();114 }115 if(STATIC_CONST_FIVE==5)116 {117 {118 int i;119 int buffer[10] = { 0 };120 /* FIX: Properly validate the array index and prevent a buffer overflow */121 if (data >= 0 && data < (10))122 {123 buffer[data] = 1;124 /* Print the array values */125 for(i = 0; i < 10; i++)126 {127 printIntLine(buffer[i]);128 }129 }130 else131 {132 printLine("ERROR: Array index is out-of-bounds");133 }134 }135 }136}137138/* goodG2B1() - use goodsource and badsink by changing the first STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */139static void goodG2B1()140{141 int data;142 /* Initialize data */143 data = -1;144 if(STATIC_CONST_FIVE!=5)145 {146 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */147 printLine("Benign, fixed string");148 }149 else150 {151 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to152 * access an index of the array in the sink that is out-of-bounds */153 data = 7;154 }155 if(STATIC_CONST_FIVE==5)156 {157 {158 int i;159 int buffer[10] = { 0 };160 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound161 * This code does check to see if the array index is negative */162 if (data >= 0)163 {164 buffer[data] = 1;165 /* Print the array values */166 for(i = 0; i < 10; i++)167 {168 printIntLine(buffer[i]);169 }170 }171 else172 {173 printLine("ERROR: Array index is negative.");174 }175 }176 }177}178179/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */180static void goodG2B2()181{182 int data;183 /* Initialize data */184 data = -1;185 if(STATIC_CONST_FIVE==5)186 {187 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to188 * access an index of the array in the sink that is out-of-bounds */189 data = 7;190 }191 if(STATIC_CONST_FIVE==5)192 {193 {194 int i;195 int buffer[10] = { 0 };196 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound197 * This code does check to see if the array index is negative */198 if (data >= 0)199 {200 buffer[data] = 1;201 /* Print the array values */202 for(i = 0; i < 10; i++)203 {204 printIntLine(buffer[i]);205 }206 }207 else208 {209 printLine("ERROR: Array index is negative.");210 }211 }212 }213}214215void CWE121_Stack_Based_Buffer_Overflow__CWE129_rand_06_good()216{217 goodB2G1();218 goodB2G2();219 goodG2B1();220 goodG2B2();221}222223#endif /* OMITGOOD */224225/* Below is the main(). It is only used when building this testcase on226 its own for testing or for building a binary to use in testing binary227 analysis tools. It is not used when compiling all the testcases as one228 application, which is how source code analysis tools are tested. */229230#ifdef INCLUDEMAIN231232int main(int argc, char * argv[])233{234 /* seed randomness */235 srand( (unsigned)time(NULL) );236#ifndef OMITGOOD237 printLine("Calling good()...");238 CWE121_Stack_Based_Buffer_Overflow__CWE129_rand_06_good();239 printLine("Finished good()");240#endif /* OMITGOOD */241#ifndef OMITBAD242 printLine("Calling bad()...");243 CWE121_Stack_Based_Buffer_Overflow__CWE129_rand_06_bad();244 printLine("Finished bad()");245#endif /* OMITBAD */246 return 0;247}248249#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_03.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-03.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: memmove12 * BadSink : Copy string to data using memmove13 * Flow Variant: 03 Control flow: if(5==5) and if(5!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_03_bad()24{✓ 25 char * data;✓ 26 char dataBadBuffer[50];✓ 27 char dataGoodBuffer[100];✓ 28 if(5==5)29 {30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination31 * buffer in various memory copying functions using a "large" source buffer. */✓ 32 data = dataBadBuffer;✓ 33 data[0] = '\0'; /* null terminate */34 }35 {✓ 36 char source[100];✓ 37 memset(source, 'C', 100-1); /* fill with 'C's */✓ 38 source[100-1] = '\0'; /* null terminate */39 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 40 memmove(data, source, 100*sizeof(char));❗VULN✓ 41 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 42 printLine(data);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B1() - use goodsource and badsink by changing the 5==5 to 5!=5 */51static void goodG2B1()52{53 char * data;54 char dataBadBuffer[50];55 char dataGoodBuffer[100];56 if(5!=5)57 {58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */59 printLine("Benign, fixed string");60 }61 else62 {63 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */64 data = dataGoodBuffer;65 data[0] = '\0'; /* null terminate */66 }67 {68 char source[100];69 memset(source, 'C', 100-1); /* fill with 'C's */70 source[100-1] = '\0'; /* null terminate */71 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */72 memmove(data, source, 100*sizeof(char));73 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */74 printLine(data);75 }76}7778/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */79static void goodG2B2()80{81 char * data;82 char dataBadBuffer[50];83 char dataGoodBuffer[100];84 if(5==5)85 {86 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */87 data = dataGoodBuffer;88 data[0] = '\0'; /* null terminate */89 }90 {91 char source[100];92 memset(source, 'C', 100-1); /* fill with 'C's */93 source[100-1] = '\0'; /* null terminate */94 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */95 memmove(data, source, 100*sizeof(char));96 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */97 printLine(data);98 }99}100101void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_03_good()102{103 goodG2B1();104 goodG2B2();105}106107#endif /* OMITGOOD */108109/* Below is the main(). It is only used when building this testcase on110 * its own for testing or for building a binary to use in testing binary111 * analysis tools. It is not used when compiling all the testcases as one112 * application, which is how source code analysis tools are tested.113 */114115#ifdef INCLUDEMAIN116117int main(int argc, char * argv[])118{119 /* seed randomness */120 srand( (unsigned)time(NULL) );121#ifndef OMITGOOD122 printLine("Calling good()...");123 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_03_good();124 printLine("Finished good()");125#endif /* OMITGOOD */126#ifndef OMITBAD127 printLine("Calling bad()...");128 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_03_bad();129 printLine("Finished bad()");130#endif /* OMITBAD */131 return 0;132}133134#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 19 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__malloc_wchar_t_loop_14.c3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml4Template File: sources-sink-14.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__malloc_wchar_t_loop_14_bad()24{✓ 25 wchar_t * data;✓ 26 data = NULL;✓ 27 if(globalFive==5)28 {29 {✓ 30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 31 if (dataBuffer == NULL) {exit(-1);}✓ 32 wmemset(dataBuffer, L'A', 100-1);✓ 33 dataBuffer[100-1] = L'\0';34 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 35 data = dataBuffer - 8;36 }37 }38 {✓ 39 size_t i;✓ 40 wchar_t source[100];✓ 41 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 42 source[100-1] = L'\0'; /* null terminate */43 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 44 for (i = 0; i < 100; i++)45 {✓ 46 data[i] = source[i];❗VULN47 }48 /* Ensure the destination buffer is null terminated */✓ 49 data[100-1] = L'\0';✓ 50 printWLine(data);51 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location52 * returned by malloc() so can't safely call free() on it */53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */61static void goodG2B1()62{63 wchar_t * data;64 data = NULL;65 if(globalFive!=5)66 {67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */68 printLine("Benign, fixed string");69 }70 else71 {72 {73 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));74 if (dataBuffer == NULL) {exit(-1);}75 wmemset(dataBuffer, L'A', 100-1);76 dataBuffer[100-1] = L'\0';77 /* FIX: Set data pointer to the allocated memory buffer */78 data = dataBuffer;79 }80 }81 {82 size_t i;83 wchar_t source[100];84 wmemset(source, L'C', 100-1); /* fill with 'C's */85 source[100-1] = L'\0'; /* null terminate */86 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */87 for (i = 0; i < 100; i++)88 {89 data[i] = source[i];90 }91 /* Ensure the destination buffer is null terminated */92 data[100-1] = L'\0';93 printWLine(data);94 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location95 * returned by malloc() so can't safely call free() on it */96 }97}9899/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */100static void goodG2B2()101{102 wchar_t * data;103 data = NULL;104 if(globalFive==5)105 {106 {107 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));108 if (dataBuffer == NULL) {exit(-1);}109 wmemset(dataBuffer, L'A', 100-1);110 dataBuffer[100-1] = L'\0';111 /* FIX: Set data pointer to the allocated memory buffer */112 data = dataBuffer;113 }114 }115 {116 size_t i;117 wchar_t source[100];118 wmemset(source, L'C', 100-1); /* fill with 'C's */119 source[100-1] = L'\0'; /* null terminate */120 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */121 for (i = 0; i < 100; i++)122 {123 data[i] = source[i];124 }125 /* Ensure the destination buffer is null terminated */126 data[100-1] = L'\0';127 printWLine(data);128 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location129 * returned by malloc() so can't safely call free() on it */130 }131}132133void CWE124_Buffer_Underwrite__malloc_wchar_t_loop_14_good()134{135 goodG2B1();136 goodG2B2();137}138139#endif /* OMITGOOD */140141/* Below is the main(). It is only used when building this testcase on142 * its own for testing or for building a binary to use in testing binary143 * analysis tools. It is not used when compiling all the testcases as one144 * application, which is how source code analysis tools are tested.145 */146147#ifdef INCLUDEMAIN148149int main(int argc, char * argv[])150{151 /* seed randomness */152 srand( (unsigned)time(NULL) );153#ifndef OMITGOOD154 printLine("Calling good()...");155 CWE124_Buffer_Underwrite__malloc_wchar_t_loop_14_good();156 printLine("Finished good()");157#endif /* OMITGOOD */158#ifndef OMITBAD159 printLine("Calling bad()...");160 CWE124_Buffer_Underwrite__malloc_wchar_t_loop_14_bad();161 printLine("Finished bad()");162#endif /* OMITBAD */163 return 0;164}165166#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 20 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__char_declare_loop_32.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-32.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__char_declare_loop_32_bad()24{✓ 25 char * data;✓ 26 char * *dataPtr1 = &data;✓ 27 char * *dataPtr2 = &data;✓ 28 char dataBuffer[100];✓ 29 memset(dataBuffer, 'A', 100-1);✓ 30 dataBuffer[100-1] = '\0';31 {✓ 32 char * data = *dataPtr1;33 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 34 data = dataBuffer - 8;✓ 35 *dataPtr1 = data;36 }37 {✓ 38 char * data = *dataPtr2;39 {✓ 40 size_t i;✓ 41 char dest[100];✓ 42 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 43 dest[100-1] = '\0'; /* null terminate */44 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 45 for (i = 0; i < 100; i++)46 {✓ 47 dest[i] = data[i];❗VULN48 }49 /* Ensure null termination */✓ 50 dest[100-1] = '\0';✓ 51 printLine(dest);52 }53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B() uses the GoodSource with the BadSink */61static void goodG2B()62{63 char * data;64 char * *dataPtr1 = &data;65 char * *dataPtr2 = &data;66 char dataBuffer[100];67 memset(dataBuffer, 'A', 100-1);68 dataBuffer[100-1] = '\0';69 {70 char * data = *dataPtr1;71 /* FIX: Set data pointer to the allocated memory buffer */72 data = dataBuffer;73 *dataPtr1 = data;74 }75 {76 char * data = *dataPtr2;77 {78 size_t i;79 char dest[100];80 memset(dest, 'C', 100-1); /* fill with 'C's */81 dest[100-1] = '\0'; /* null terminate */82 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */83 for (i = 0; i < 100; i++)84 {85 dest[i] = data[i];86 }87 /* Ensure null termination */88 dest[100-1] = '\0';89 printLine(dest);90 }91 }92}9394void CWE127_Buffer_Underread__char_declare_loop_32_good()95{96 goodG2B();97}9899#endif /* OMITGOOD */100101/* Below is the main(). It is only used when building this testcase on102 * its own for testing or for building a binary to use in testing binary103 * analysis tools. It is not used when compiling all the testcases as one104 * application, which is how source code analysis tools are tested.105 */106#ifdef INCLUDEMAIN107108int main(int argc, char * argv[])109{110 /* seed randomness */111 srand( (unsigned)time(NULL) );112#ifndef OMITGOOD113 printLine("Calling good()...");114 CWE127_Buffer_Underread__char_declare_loop_32_good();115 printLine("Finished good()");116#endif /* OMITGOOD */117#ifndef OMITBAD118 printLine("Calling bad()...");119 CWE127_Buffer_Underread__char_declare_loop_32_bad();120 printLine("Finished bad()");121#endif /* OMITBAD */122 return 0;123}124125#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 7 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-45.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sinks: memmove12 * BadSink : Copy string to data using memmove13 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021static wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_badData;22static wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_goodG2BData;2324#ifndef OMITBAD2526static void badSink()27{✓ 28 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_badData;29 {✓ 30 wchar_t source[100];✓ 31 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 32 source[100-1] = L'\0'; /* null terminate */33 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 34 memmove(data, source, 100*sizeof(wchar_t));❗VULN✓ 35 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 36 printWLine(data);37 }38}3940void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_bad()41{42 wchar_t * data;43 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));44 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));45 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination46 * buffer in various memory copying functions using a "large" source buffer. */47 data = dataBadBuffer;48 data[0] = L'\0'; /* null terminate */49 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_badData = data;50 badSink();51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B() uses the GoodSource with the BadSink */58static void goodG2BSink()59{60 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_goodG2BData;61 {62 wchar_t source[100];63 wmemset(source, L'C', 100-1); /* fill with L'C's */64 source[100-1] = L'\0'; /* null terminate */65 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */66 memmove(data, source, 100*sizeof(wchar_t));67 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */68 printWLine(data);69 }70}7172static void goodG2B()73{74 wchar_t * data;75 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));76 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));77 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */78 data = dataGoodBuffer;79 data[0] = L'\0'; /* null terminate */80 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_goodG2BData = data;81 goodG2BSink();82}8384void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_good()85{86 goodG2B();87}8889#endif /* OMITGOOD */9091/* Below is the main(). It is only used when building this testcase on92 * its own for testing or for building a binary to use in testing binary93 * analysis tools. It is not used when compiling all the testcases as one94 * application, which is how source code analysis tools are tested.95 */96#ifdef INCLUDEMAIN9798int main(int argc, char * argv[])99{100 /* seed randomness */101 srand( (unsigned)time(NULL) );102#ifndef OMITGOOD103 printLine("Calling good()...");104 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_good();105 printLine("Finished good()");106#endif /* OMITGOOD */107#ifndef OMITBAD108 printLine("Calling bad()...");109 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_bad();110 printLine("Finished bad()");111#endif /* OMITBAD */112 return 0;113}114115#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_char_cpy_33.cpp3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-33.tmpl.cpp5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sinks: cpy12 * BadSink : Copy data to string using strcpy13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE127_Buffer_Underread__malloc_char_cpy_3322{2324#ifndef OMITBAD2526void bad()27{✓ 28 char * data;✓ 29 char * &dataRef = data;✓ 30 data = NULL;31 {✓ 32 char * dataBuffer = (char *)malloc(100*sizeof(char));✓ 33 if (dataBuffer == NULL) {exit(-1);}✓ 34 memset(dataBuffer, 'A', 100-1);✓ 35 dataBuffer[100-1] = '\0';36 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 37 data = dataBuffer - 8;38 }39 {✓ 40 char * data = dataRef;41 {✓ 42 char dest[100*2];✓ 43 memset(dest, 'C', 100*2-1); /* fill with 'C's */✓ 44 dest[100*2-1] = '\0'; /* null terminate */45 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 46 strcpy(dest, data);❗VULN✓ 47 printLine(dest);48 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location49 * returned by malloc() so can't safely call free() on it */50 }51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B() uses the GoodSource with the BadSink */59static void goodG2B()60{61 char * data;62 char * &dataRef = data;63 data = NULL;64 {65 char * dataBuffer = (char *)malloc(100*sizeof(char));66 if (dataBuffer == NULL) {exit(-1);}67 memset(dataBuffer, 'A', 100-1);68 dataBuffer[100-1] = '\0';69 /* FIX: Set data pointer to the allocated memory buffer */70 data = dataBuffer;71 }72 {73 char * data = dataRef;74 {75 char dest[100*2];76 memset(dest, 'C', 100*2-1); /* fill with 'C's */77 dest[100*2-1] = '\0'; /* null terminate */78 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */79 strcpy(dest, data);80 printLine(dest);81 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location82 * returned by malloc() so can't safely call free() on it */83 }84 }85}8687void good()88{89 goodG2B();90}9192#endif /* OMITGOOD */9394} /* close namespace */9596/* Below is the main(). It is only used when building this testcase on97 * its own for testing or for building a binary to use in testing binary98 * analysis tools. It is not used when compiling all the testcases as one99 * application, which is how source code analysis tools are tested.100 */101#ifdef INCLUDEMAIN102103using namespace CWE127_Buffer_Underread__malloc_char_cpy_33; /* so that we can use good and bad easily */104105int main(int argc, char * argv[])106{107 /* seed randomness */108 srand( (unsigned)time(NULL) );109#ifndef OMITGOOD110 printLine("Calling good()...");111 good();112 printLine("Finished good()");113#endif /* OMITGOOD */114#ifndef OMITBAD115 printLine("Calling bad()...");116 bad();117 printLine("Finished bad()");118#endif /* OMITBAD */119 return 0;120}121122#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 17 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__CWE839_fgets_12.c3Label Definition File: CWE127_Buffer_Underread__CWE839.label.xml4Template File: sources-sinks-12.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Underread9 * BadSource: fgets Read data from the console using fgets()10 * GoodSource: Non-negative but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking to see if the value is negative14 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())15 *16 * */1718#include "std_testcase.h"1920#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)2122#ifndef OMITBAD2324void CWE127_Buffer_Underread__CWE839_fgets_12_bad()25{✓ 26 int data;27 /* Initialize data */✓ 28 data = -1;✓ 29 if(globalReturnsTrueOrFalse())30 {31 {✓ 32 char inputBuffer[CHAR_ARRAY_SIZE] = "";33 /* POTENTIAL FLAW: Read data from the console using fgets() */✓ 34 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)35 {36 /* Convert to int */✓ 37 data = atoi(inputBuffer);38 }39 else40 {✓ 41 printLine("fgets() failed.");42 }43 }44 }45 else46 {47 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to48 * access an index of the array in the sink that is out-of-bounds */✓ 49 data = 7;50 }✓ 51 if(globalReturnsTrueOrFalse())52 {53 {✓ 54 int buffer[10] = { 0 };55 /* POTENTIAL FLAW: Attempt to access a negative index of the array56 * This check does not check to see if the array index is negative */✓ 57 if (data < 10)58 {✓ 59 printIntLine(buffer[data]);❗VULN60 }61 else62 {✓ 63 printLine("ERROR: Array index is too big.");64 }65 }66 }67 else68 {69 {✓ 70 int buffer[10] = { 0 };71 /* FIX: Properly validate the array index and prevent a buffer underread */✓ 72 if (data >= 0 && data < (10))73 {✓ 74 printIntLine(buffer[data]);75 }76 else77 {✓ 78 printLine("ERROR: Array index is out-of-bounds");79 }80 }81 }82}8384#endif /* OMITBAD */8586#ifndef OMITGOOD8788/* goodB2G() - use badsource and goodsink by changing the first "if" so that89 both branches use the BadSource and the second "if" so that both branches90 use the GoodSink */91static void goodB2G()92{93 int data;94 /* Initialize data */95 data = -1;96 if(globalReturnsTrueOrFalse())97 {98 {99 char inputBuffer[CHAR_ARRAY_SIZE] = "";100 /* POTENTIAL FLAW: Read data from the console using fgets() */101 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)102 {103 /* Convert to int */104 data = atoi(inputBuffer);105 }106 else107 {108 printLine("fgets() failed.");109 }110 }111 }112 else113 {114 {115 char inputBuffer[CHAR_ARRAY_SIZE] = "";116 /* POTENTIAL FLAW: Read data from the console using fgets() */117 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)118 {119 /* Convert to int */120 data = atoi(inputBuffer);121 }122 else123 {124 printLine("fgets() failed.");125 }126 }127 }128 if(globalReturnsTrueOrFalse())129 {130 {131 int buffer[10] = { 0 };132 /* FIX: Properly validate the array index and prevent a buffer underread */133 if (data >= 0 && data < (10))134 {135 printIntLine(buffer[data]);136 }137 else138 {139 printLine("ERROR: Array index is out-of-bounds");140 }141 }142 }143 else144 {145 {146 int buffer[10] = { 0 };147 /* FIX: Properly validate the array index and prevent a buffer underread */148 if (data >= 0 && data < (10))149 {150 printIntLine(buffer[data]);151 }152 else153 {154 printLine("ERROR: Array index is out-of-bounds");155 }156 }157 }158}159160/* goodG2B() - use goodsource and badsink by changing the first "if" so that161 both branches use the GoodSource and the second "if" so that both branches162 use the BadSink */163static void goodG2B()164{165 int data;166 /* Initialize data */167 data = -1;168 if(globalReturnsTrueOrFalse())169 {170 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to171 * access an index of the array in the sink that is out-of-bounds */172 data = 7;173 }174 else175 {176 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to177 * access an index of the array in the sink that is out-of-bounds */178 data = 7;179 }180 if(globalReturnsTrueOrFalse())181 {182 {183 int buffer[10] = { 0 };184 /* POTENTIAL FLAW: Attempt to access a negative index of the array185 * This check does not check to see if the array index is negative */186 if (data < 10)187 {188 printIntLine(buffer[data]);189 }190 else191 {192 printLine("ERROR: Array index is too big.");193 }194 }195 }196 else197 {198 {199 int buffer[10] = { 0 };200 /* POTENTIAL FLAW: Attempt to access a negative index of the array201 * This check does not check to see if the array index is negative */202 if (data < 10)203 {204 printIntLine(buffer[data]);205 }206 else207 {208 printLine("ERROR: Array index is too big.");209 }210 }211 }212}213214void CWE127_Buffer_Underread__CWE839_fgets_12_good()215{216 goodB2G();217 goodG2B();218}219220#endif /* OMITGOOD */221222/* Below is the main(). It is only used when building this testcase on223 its own for testing or for building a binary to use in testing binary224 analysis tools. It is not used when compiling all the testcases as one225 application, which is how source code analysis tools are tested. */226227#ifdef INCLUDEMAIN228229int main(int argc, char * argv[])230{231 /* seed randomness */232 srand( (unsigned)time(NULL) );233#ifndef OMITGOOD234 printLine("Calling good()...");235 CWE127_Buffer_Underread__CWE839_fgets_12_good();236 printLine("Finished good()");237#endif /* OMITGOOD */238#ifndef OMITBAD239 printLine("Calling bad()...");240 CWE127_Buffer_Underread__CWE839_fgets_12_bad();241 printLine("Finished bad()");242#endif /* OMITBAD */243 return 0;244}245246#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml4Template File: sources-sinks-45.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: large Large index value that is greater than 10-110 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file15 *16 * */1718#include "std_testcase.h"1920static int CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_badData;21static int CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_goodG2BData;22static int CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_goodB2GData;2324#ifndef OMITBAD2526static void badSink()27{✓ 28 int data = CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_badData;29 {✓ 30 int i;✓ 31 int buffer[10] = { 0 };32 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound33 * This code does check to see if the array index is negative */✓ 34 if (data >= 0)35 {✓ 36 buffer[data] = 1;❗VULN37 /* Print the array values */✓ 38 for(i = 0; i < 10; i++)39 {✓ 40 printIntLine(buffer[i]);41 }42 }43 else44 {✓ 45 printLine("ERROR: Array index is negative.");46 }47 }48}4950void CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_bad()51{52 int data;53 /* Initialize data */54 data = -1;55 /* POTENTIAL FLAW: Use an invalid index */56 data = 10;57 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_badData = data;58 badSink();59}6061#endif /* OMITBAD */6263#ifndef OMITGOOD6465/* goodG2B() uses the GoodSource with the BadSink */66static void goodG2BSink()67{68 int data = CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_goodG2BData;69 {70 int i;71 int buffer[10] = { 0 };72 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound73 * This code does check to see if the array index is negative */74 if (data >= 0)75 {76 buffer[data] = 1;77 /* Print the array values */78 for(i = 0; i < 10; i++)79 {80 printIntLine(buffer[i]);81 }82 }83 else84 {85 printLine("ERROR: Array index is negative.");86 }87 }88}8990static void goodG2B()91{92 int data;93 /* Initialize data */94 data = -1;95 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to96 * access an index of the array in the sink that is out-of-bounds */97 data = 7;98 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_goodG2BData = data;99 goodG2BSink();100}101102/* goodB2G() uses the BadSource with the GoodSink */103static void goodB2GSink()104{105 int data = CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_goodB2GData;106 {107 int i;108 int buffer[10] = { 0 };109 /* FIX: Properly validate the array index and prevent a buffer overflow */110 if (data >= 0 && data < (10))111 {112 buffer[data] = 1;113 /* Print the array values */114 for(i = 0; i < 10; i++)115 {116 printIntLine(buffer[i]);117 }118 }119 else120 {121 printLine("ERROR: Array index is out-of-bounds");122 }123 }124}125126static void goodB2G()127{128 int data;129 /* Initialize data */130 data = -1;131 /* POTENTIAL FLAW: Use an invalid index */132 data = 10;133 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_goodB2GData = data;134 goodB2GSink();135}136137void CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_good()138{139 goodG2B();140 goodB2G();141}142143#endif /* OMITGOOD */144145/* Below is the main(). It is only used when building this testcase on146 its own for testing or for building a binary to use in testing binary147 analysis tools. It is not used when compiling all the testcases as one148 application, which is how source code analysis tools are tested. */149#ifdef INCLUDEMAIN150151int main(int argc, char * argv[])152{153 /* seed randomness */154 srand( (unsigned)time(NULL) );155#ifndef OMITGOOD156 printLine("Calling good()...");157 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_good();158 printLine("Finished good()");159#endif /* OMITGOOD */160#ifndef OMITBAD161 printLine("Calling bad()...");162 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_bad();163 printLine("Finished bad()");164#endif /* OMITBAD */165 return 0;166}167168#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memmove_16.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.label.xml4Template File: sources-sink-16.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: memmove12 * BadSink : Copy int64_t array to data using memmove13 * Flow Variant: 16 Control flow: while(1)14 *15 * */1617#include "std_testcase.h"1819namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memmove_1620{2122#ifndef OMITBAD2324void bad()25{✓ 26 int64_t * data;✓ 27 data = NULL;✓ 28 while(1)29 {30 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 31 data = new int64_t[50];✓ 32 break;33 }34 {✓ 35 int64_t source[100] = {0}; /* fill with 0's */36 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 37 memmove(data, source, 100*sizeof(int64_t));❗VULN✓ 38 printLongLongLine(data[0]);✓ 39 delete [] data;40 }41}4243#endif /* OMITBAD */4445#ifndef OMITGOOD4647/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */48static void goodG2B()49{50 int64_t * data;51 data = NULL;52 while(1)53 {54 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */55 data = new int64_t[100];56 break;57 }58 {59 int64_t source[100] = {0}; /* fill with 0's */60 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */61 memmove(data, source, 100*sizeof(int64_t));62 printLongLongLine(data[0]);63 delete [] data;64 }65}6667void good()68{69 goodG2B();70}7172#endif /* OMITGOOD */7374} /* close namespace */7576/* Below is the main(). It is only used when building this testcase on77 its own for testing or for building a binary to use in testing binary78 analysis tools. It is not used when compiling all the testcases as one79 application, which is how source code analysis tools are tested. */8081#ifdef INCLUDEMAIN8283using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memmove_16; /* so that we can use good and bad easily */8485int main(int argc, char * argv[])86{87 /* seed randomness */88 srand( (unsigned)time(NULL) );89#ifndef OMITGOOD90 printLine("Calling good()...");91 good();92 printLine("Finished good()");93#endif /* OMITGOOD */94#ifndef OMITBAD95 printLine("Calling bad()...");96 bad();97 printLine("Finished bad()");98#endif /* OMITBAD */99 return 0;100}101102#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__wchar_t_declare_memmove_17.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-17.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 17 Control flow: for loops14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__wchar_t_declare_memmove_17_bad()24{✓ 25 int i;✓ 26 wchar_t * data;✓ 27 wchar_t dataBuffer[100];✓ 28 wmemset(dataBuffer, L'A', 100-1);✓ 29 dataBuffer[100-1] = L'\0';✓ 30 for(i = 0; i < 1; i++)31 {32 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 33 data = dataBuffer - 8;34 }35 {✓ 36 wchar_t dest[100];✓ 37 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 38 dest[100-1] = L'\0'; /* null terminate */39 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 40 memmove(dest, data, 100*sizeof(wchar_t));❗VULN41 /* Ensure null termination */✓ 42 dest[100-1] = L'\0';✓ 43 printWLine(dest);44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */52static void goodG2B()53{54 int h;55 wchar_t * data;56 wchar_t dataBuffer[100];57 wmemset(dataBuffer, L'A', 100-1);58 dataBuffer[100-1] = L'\0';59 for(h = 0; h < 1; h++)60 {61 /* FIX: Set data pointer to the allocated memory buffer */62 data = dataBuffer;63 }64 {65 wchar_t dest[100];66 wmemset(dest, L'C', 100-1); /* fill with 'C's */67 dest[100-1] = L'\0'; /* null terminate */68 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */69 memmove(dest, data, 100*sizeof(wchar_t));70 /* Ensure null termination */71 dest[100-1] = L'\0';72 printWLine(dest);73 }74}7576void CWE127_Buffer_Underread__wchar_t_declare_memmove_17_good()77{78 goodG2B();79}8081#endif /* OMITGOOD */8283/* Below is the main(). It is only used when building this testcase on84 * its own for testing or for building a binary to use in testing binary85 * analysis tools. It is not used when compiling all the testcases as one86 * application, which is how source code analysis tools are tested.87 */8889#ifdef INCLUDEMAIN9091int main(int argc, char * argv[])92{93 /* seed randomness */94 srand( (unsigned)time(NULL) );95#ifndef OMITGOOD96 printLine("Calling good()...");97 CWE127_Buffer_Underread__wchar_t_declare_memmove_17_good();98 printLine("Finished good()");99#endif /* OMITGOOD */100#ifndef OMITBAD101 printLine("Calling bad()...");102 CWE127_Buffer_Underread__wchar_t_declare_memmove_17_bad();103 printLine("Finished bad()");104#endif /* OMITBAD */105 return 0;106}107108#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__new_char_memmove_05.cpp3Label Definition File: CWE126_Buffer_Overread__new.label.xml4Template File: sources-sink-05.tmpl.cpp5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Use a small buffer10 * GoodSource: Use a large buffer11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are not defined as "const", but are never22 assigned any other value, so a tool should be able to identify that23 reads of these will always return their initialized values. */24static int staticTrue = 1; /* true */25static int staticFalse = 0; /* false */2627namespace CWE126_Buffer_Overread__new_char_memmove_0528{2930#ifndef OMITBAD3132void bad()33{✓ 34 char * data;✓ 35 data = NULL;✓ 36 if(staticTrue)37 {38 /* FLAW: Use a small buffer */✓ 39 data = new char[50];✓ 40 memset(data, 'A', 50-1); /* fill with 'A's */✓ 41 data[50-1] = '\0'; /* null terminate */42 }43 {✓ 44 char dest[100];✓ 45 memset(dest, 'C', 100-1);✓ 46 dest[100-1] = '\0'; /* null terminate */47 /* POTENTIAL FLAW: using memmove with the length of the dest where data48 * could be smaller than dest causing buffer overread */✓ 49 memmove(dest, data, strlen(dest)*sizeof(char));❗VULN✓ 50 dest[100-1] = '\0';✓ 51 printLine(dest);✓ 52 delete [] data;53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */61static void goodG2B1()62{63 char * data;64 data = NULL;65 if(staticFalse)66 {67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */68 printLine("Benign, fixed string");69 }70 else71 {72 /* FIX: Use a large buffer */73 data = new char[100];74 memset(data, 'A', 100-1); /* fill with 'A's */75 data[100-1] = '\0'; /* null terminate */76 }77 {78 char dest[100];79 memset(dest, 'C', 100-1);80 dest[100-1] = '\0'; /* null terminate */81 /* POTENTIAL FLAW: using memmove with the length of the dest where data82 * could be smaller than dest causing buffer overread */83 memmove(dest, data, strlen(dest)*sizeof(char));84 dest[100-1] = '\0';85 printLine(dest);86 delete [] data;87 }88}8990/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */91static void goodG2B2()92{93 char * data;94 data = NULL;95 if(staticTrue)96 {97 /* FIX: Use a large buffer */98 data = new char[100];99 memset(data, 'A', 100-1); /* fill with 'A's */100 data[100-1] = '\0'; /* null terminate */101 }102 {103 char dest[100];104 memset(dest, 'C', 100-1);105 dest[100-1] = '\0'; /* null terminate */106 /* POTENTIAL FLAW: using memmove with the length of the dest where data107 * could be smaller than dest causing buffer overread */108 memmove(dest, data, strlen(dest)*sizeof(char));109 dest[100-1] = '\0';110 printLine(dest);111 delete [] data;112 }113}114115void good()116{117 goodG2B1();118 goodG2B2();119}120121#endif /* OMITGOOD */122123} /* close namespace */124125/* Below is the main(). It is only used when building this testcase on126 its own for testing or for building a binary to use in testing binary127 analysis tools. It is not used when compiling all the testcases as one128 application, which is how source code analysis tools are tested. */129130#ifdef INCLUDEMAIN131132using namespace CWE126_Buffer_Overread__new_char_memmove_05; /* so that we can use good and bad easily */133134int main(int argc, char * argv[])135{136 /* seed randomness */137 srand( (unsigned)time(NULL) );138#ifndef OMITGOOD139 printLine("Calling good()...");140 good();141 printLine("Finished good()");142#endif /* OMITGOOD */143#ifndef OMITBAD144 printLine("Calling bad()...");145 bad();146 printLine("Finished bad()");147#endif /* OMITBAD */148 return 0;149}150151#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memcpy_01.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml4Template File: sources-sink-01.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: memcpy12 * BadSink : Copy int64_t array to data using memcpy13 * Flow Variant: 01 Baseline14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memcpy_01_bad()22{✓ 23 int64_t * data;✓ 24 data = NULL;25 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 26 data = (int64_t *)malloc(50*sizeof(int64_t));✓ 27 if (data == NULL) {exit(-1);}28 {✓ 29 int64_t source[100] = {0}; /* fill with 0's */30 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 31 memcpy(data, source, 100*sizeof(int64_t));❗VULN✓ 32 printLongLongLine(data[0]);✓ 33 free(data);34 }35}3637#endif /* OMITBAD */3839#ifndef OMITGOOD4041/* goodG2B uses the GoodSource with the BadSink */42static void goodG2B()43{44 int64_t * data;45 data = NULL;46 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */47 data = (int64_t *)malloc(100*sizeof(int64_t));48 if (data == NULL) {exit(-1);}49 {50 int64_t source[100] = {0}; /* fill with 0's */51 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */52 memcpy(data, source, 100*sizeof(int64_t));53 printLongLongLine(data[0]);54 free(data);55 }56}5758void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memcpy_01_good()59{60 goodG2B();61}6263#endif /* OMITGOOD */6465/* Below is the main(). It is only used when building this testcase on66 * its own for testing or for building a binary to use in testing binary67 * analysis tools. It is not used when compiling all the testcases as one68 * application, which is how source code analysis tools are tested.69 */7071#ifdef INCLUDEMAIN7273int main(int argc, char * argv[])74{75 /* seed randomness */76 srand( (unsigned)time(NULL) );77#ifndef OMITGOOD78 printLine("Calling good()...");79 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memcpy_01_good();80 printLine("Finished good()");81#endif /* OMITGOOD */82#ifndef OMITBAD83 printLine("Calling bad()...");84 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memcpy_01_bad();85 printLine("Finished bad()");86#endif /* OMITBAD */87 return 0;88}8990#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__malloc_wchar_t_memmove_33.cpp3Label Definition File: CWE126_Buffer_Overread__malloc.label.xml4Template File: sources-sink-33.tmpl.cpp5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Use a small buffer10 * GoodSource: Use a large buffer11 * Sinks: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE126_Buffer_Overread__malloc_wchar_t_memmove_3322{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 wchar_t * &dataRef = data;✓ 30 data = NULL;31 /* FLAW: Use a small buffer */✓ 32 data = (wchar_t *)malloc(50*sizeof(wchar_t));✓ 33 if (data == NULL) {exit(-1);}✓ 34 wmemset(data, L'A', 50-1); /* fill with 'A's */✓ 35 data[50-1] = L'\0'; /* null terminate */36 {✓ 37 wchar_t * data = dataRef;38 {✓ 39 wchar_t dest[100];✓ 40 wmemset(dest, L'C', 100-1);✓ 41 dest[100-1] = L'\0'; /* null terminate */42 /* POTENTIAL FLAW: using memmove with the length of the dest where data43 * could be smaller than dest causing buffer overread */✓ 44 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN✓ 45 dest[100-1] = L'\0';✓ 46 printWLine(dest);✓ 47 free(data);48 }49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B() uses the GoodSource with the BadSink */57static void goodG2B()58{59 wchar_t * data;60 wchar_t * &dataRef = data;61 data = NULL;62 /* FIX: Use a large buffer */63 data = (wchar_t *)malloc(100*sizeof(wchar_t));64 if (data == NULL) {exit(-1);}65 wmemset(data, L'A', 100-1); /* fill with 'A's */66 data[100-1] = L'\0'; /* null terminate */67 {68 wchar_t * data = dataRef;69 {70 wchar_t dest[100];71 wmemset(dest, L'C', 100-1);72 dest[100-1] = L'\0'; /* null terminate */73 /* POTENTIAL FLAW: using memmove with the length of the dest where data74 * could be smaller than dest causing buffer overread */75 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));76 dest[100-1] = L'\0';77 printWLine(dest);78 free(data);79 }80 }81}8283void good()84{85 goodG2B();86}8788#endif /* OMITGOOD */8990} /* close namespace */9192/* Below is the main(). It is only used when building this testcase on93 * its own for testing or for building a binary to use in testing binary94 * analysis tools. It is not used when compiling all the testcases as one95 * application, which is how source code analysis tools are tested.96 */97#ifdef INCLUDEMAIN9899using namespace CWE126_Buffer_Overread__malloc_wchar_t_memmove_33; /* so that we can use good and bad easily */100101int main(int argc, char * argv[])102{103 /* seed randomness */104 srand( (unsigned)time(NULL) );105#ifndef OMITGOOD106 printLine("Calling good()...");107 good();108 printLine("Finished good()");109#endif /* OMITGOOD */110#ifndef OMITBAD111 printLine("Calling bad()...");112 bad();113 printLine("Finished bad()");114#endif /* OMITBAD */115 return 0;116}117118#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_33.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml4Template File: sources-sink-33.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sinks: memmove12 * BadSink : Copy int array to data using memmove13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function14 *15 * */1617#include "std_testcase.h"1819namespace CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_3320{2122#ifndef OMITBAD2324void bad()25{✓ 26 int * data;✓ 27 int * &dataRef = data;✓ 28 data = NULL;29 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 30 data = (int *)malloc(50*sizeof(int));✓ 31 if (data == NULL) {exit(-1);}32 {✓ 33 int * data = dataRef;34 {✓ 35 int source[100] = {0}; /* fill with 0's */36 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 37 memmove(data, source, 100*sizeof(int));❗VULN✓ 38 printIntLine(data[0]);✓ 39 free(data);40 }41 }42}4344#endif /* OMITBAD */4546#ifndef OMITGOOD4748/* goodG2B() uses the GoodSource with the BadSink */49static void goodG2B()50{51 int * data;52 int * &dataRef = data;53 data = NULL;54 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */55 data = (int *)malloc(100*sizeof(int));56 if (data == NULL) {exit(-1);}57 {58 int * data = dataRef;59 {60 int source[100] = {0}; /* fill with 0's */61 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */62 memmove(data, source, 100*sizeof(int));63 printIntLine(data[0]);64 free(data);65 }66 }67}6869void good()70{71 goodG2B();72}7374#endif /* OMITGOOD */7576} /* close namespace */7778/* Below is the main(). It is only used when building this testcase on79 * its own for testing or for building a binary to use in testing binary80 * analysis tools. It is not used when compiling all the testcases as one81 * application, which is how source code analysis tools are tested.82 */83#ifdef INCLUDEMAIN8485using namespace CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_33; /* so that we can use good and bad easily */8687int main(int argc, char * argv[])88{89 /* seed randomness */90 srand( (unsigned)time(NULL) );91#ifndef OMITGOOD92 printLine("Calling good()...");93 good();94 printLine("Finished good()");95#endif /* OMITGOOD */96#ifndef OMITBAD97 printLine("Calling bad()...");98 bad();99 printLine("Finished bad()");100#endif /* OMITBAD */101 return 0;102}103104#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__new_char_memmove_05.cpp3Label Definition File: CWE127_Buffer_Underread__new.label.xml4Template File: sources-sink-05.tmpl.cpp5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are not defined as "const", but are never22 assigned any other value, so a tool should be able to identify that23 reads of these will always return their initialized values. */24static int staticTrue = 1; /* true */25static int staticFalse = 0; /* false */2627namespace CWE127_Buffer_Underread__new_char_memmove_0528{2930#ifndef OMITBAD3132void bad()33{✓ 34 char * data;✓ 35 data = NULL;✓ 36 if(staticTrue)37 {38 {✓ 39 char * dataBuffer = new char[100];✓ 40 memset(dataBuffer, 'A', 100-1);✓ 41 dataBuffer[100-1] = '\0';42 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 43 data = dataBuffer - 8;44 }45 }46 {✓ 47 char dest[100];✓ 48 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 49 dest[100-1] = '\0'; /* null terminate */50 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 51 memmove(dest, data, 100*sizeof(char));❗VULN52 /* Ensure null termination */✓ 53 dest[100-1] = '\0';✓ 54 printLine(dest);55 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location56 * returned by new [] so can't safely call delete [] on it */57 }58}5960#endif /* OMITBAD */6162#ifndef OMITGOOD6364/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */65static void goodG2B1()66{67 char * data;68 data = NULL;69 if(staticFalse)70 {71 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */72 printLine("Benign, fixed string");73 }74 else75 {76 {77 char * dataBuffer = new char[100];78 memset(dataBuffer, 'A', 100-1);79 dataBuffer[100-1] = '\0';80 /* FIX: Set data pointer to the allocated memory buffer */81 data = dataBuffer;82 }83 }84 {85 char dest[100];86 memset(dest, 'C', 100-1); /* fill with 'C's */87 dest[100-1] = '\0'; /* null terminate */88 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */89 memmove(dest, data, 100*sizeof(char));90 /* Ensure null termination */91 dest[100-1] = '\0';92 printLine(dest);93 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location94 * returned by new [] so can't safely call delete [] on it */95 }96}9798/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */99static void goodG2B2()100{101 char * data;102 data = NULL;103 if(staticTrue)104 {105 {106 char * dataBuffer = new char[100];107 memset(dataBuffer, 'A', 100-1);108 dataBuffer[100-1] = '\0';109 /* FIX: Set data pointer to the allocated memory buffer */110 data = dataBuffer;111 }112 }113 {114 char dest[100];115 memset(dest, 'C', 100-1); /* fill with 'C's */116 dest[100-1] = '\0'; /* null terminate */117 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */118 memmove(dest, data, 100*sizeof(char));119 /* Ensure null termination */120 dest[100-1] = '\0';121 printLine(dest);122 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location123 * returned by new [] so can't safely call delete [] on it */124 }125}126127void good()128{129 goodG2B1();130 goodG2B2();131}132133#endif /* OMITGOOD */134135} /* close namespace */136137/* Below is the main(). It is only used when building this testcase on138 its own for testing or for building a binary to use in testing binary139 analysis tools. It is not used when compiling all the testcases as one140 application, which is how source code analysis tools are tested. */141142#ifdef INCLUDEMAIN143144using namespace CWE127_Buffer_Underread__new_char_memmove_05; /* so that we can use good and bad easily */145146int main(int argc, char * argv[])147{148 /* seed randomness */149 srand( (unsigned)time(NULL) );150#ifndef OMITGOOD151 printLine("Calling good()...");152 good();153 printLine("Finished good()");154#endif /* OMITGOOD */155#ifndef OMITBAD156 printLine("Calling bad()...");157 bad();158 printLine("Finished bad()");159#endif /* OMITBAD */160 return 0;161}162163#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_loop_10.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml4Template File: sources-sink-10.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Point data to a buffer that does not have space for a NULL terminator10 * GoodSource: Point data to a buffer that includes space for a NULL terminator11 * Sink: loop12 * BadSink : Copy array to data using a loop13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING L"AAAAAAAAAA"2526#ifndef OMITBAD2728void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_loop_10_bad()29{✓ 30 wchar_t * data;✓ 31 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));✓ 32 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));✓ 33 if(globalTrue)34 {35 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing36 * string copies in the sinks */✓ 37 data = dataBadBuffer;✓ 38 data[0] = L'\0'; /* null terminate */39 }40 {✓ 41 wchar_t source[10+1] = SRC_STRING;✓ 42 size_t i, sourceLen;✓ 43 sourceLen = wcslen(source);44 /* Copy length + 1 to include NUL terminator from source */45 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 46 for (i = 0; i < sourceLen + 1; i++)47 {✓ 48 data[i] = source[i];❗VULN49 }✓ 50 printWLine(data);51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */59static void goodG2B1()60{61 wchar_t * data;62 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));63 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));64 if(globalFalse)65 {66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */67 printLine("Benign, fixed string");68 }69 else70 {71 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing72 * string copies in the sinks */73 data = dataGoodBuffer;74 data[0] = L'\0'; /* null terminate */75 }76 {77 wchar_t source[10+1] = SRC_STRING;78 size_t i, sourceLen;79 sourceLen = wcslen(source);80 /* Copy length + 1 to include NUL terminator from source */81 /* POTENTIAL FLAW: data may not have enough space to hold source */82 for (i = 0; i < sourceLen + 1; i++)83 {84 data[i] = source[i];85 }86 printWLine(data);87 }88}8990/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */91static void goodG2B2()92{93 wchar_t * data;94 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));95 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));96 if(globalTrue)97 {98 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing99 * string copies in the sinks */100 data = dataGoodBuffer;101 data[0] = L'\0'; /* null terminate */102 }103 {104 wchar_t source[10+1] = SRC_STRING;105 size_t i, sourceLen;106 sourceLen = wcslen(source);107 /* Copy length + 1 to include NUL terminator from source */108 /* POTENTIAL FLAW: data may not have enough space to hold source */109 for (i = 0; i < sourceLen + 1; i++)110 {111 data[i] = source[i];112 }113 printWLine(data);114 }115}116117void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_loop_10_good()118{119 goodG2B1();120 goodG2B2();121}122123#endif /* OMITGOOD */124125/* Below is the main(). It is only used when building this testcase on126 * its own for testing or for building a binary to use in testing binary127 * analysis tools. It is not used when compiling all the testcases as one128 * application, which is how source code analysis tools are tested.129 */130131#ifdef INCLUDEMAIN132133int main(int argc, char * argv[])134{135 /* seed randomness */136 srand( (unsigned)time(NULL) );137#ifndef OMITGOOD138 printLine("Calling good()...");139 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_loop_10_good();140 printLine("Finished good()");141#endif /* OMITGOOD */142#ifndef OMITBAD143 printLine("Calling bad()...");144 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_loop_10_bad();145 printLine("Finished bad()");146#endif /* OMITBAD */147 return 0;148}149150#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_07.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: cpy12 * BadSink : Copy string to data using wcscpy13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is not declared "const", but is never assigned22 * any other value so a tool should be able to identify that reads of23 * this will always give its initialized value.24 */25static int staticFive = 5;2627#ifndef OMITBAD2829void CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_07_bad()30{✓ 31 wchar_t * data;✓ 32 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));✓ 33 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 34 if(staticFive==5)35 {36 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination37 * buffer in various memory copying functions using a "large" source buffer. */✓ 38 data = dataBadBuffer;✓ 39 data[0] = L'\0'; /* null terminate */40 }41 {✓ 42 wchar_t source[100];✓ 43 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 44 source[100-1] = L'\0'; /* null terminate */45 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 46 wcscpy(data, source);❗VULN✓ 47 printWLine(data);48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */56static void goodG2B1()57{58 wchar_t * data;59 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));60 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));61 if(staticFive!=5)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */69 data = dataGoodBuffer;70 data[0] = L'\0'; /* null terminate */71 }72 {73 wchar_t source[100];74 wmemset(source, L'C', 100-1); /* fill with L'C's */75 source[100-1] = L'\0'; /* null terminate */76 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */77 wcscpy(data, source);78 printWLine(data);79 }80}8182/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */83static void goodG2B2()84{85 wchar_t * data;86 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));87 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));88 if(staticFive==5)89 {90 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */91 data = dataGoodBuffer;92 data[0] = L'\0'; /* null terminate */93 }94 {95 wchar_t source[100];96 wmemset(source, L'C', 100-1); /* fill with L'C's */97 source[100-1] = L'\0'; /* null terminate */98 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */99 wcscpy(data, source);100 printWLine(data);101 }102}103104void CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_07_good()105{106 goodG2B1();107 goodG2B2();108}109110#endif /* OMITGOOD */111112/* Below is the main(). It is only used when building this testcase on113 * its own for testing or for building a binary to use in testing binary114 * analysis tools. It is not used when compiling all the testcases as one115 * application, which is how source code analysis tools are tested.116 */117118#ifdef INCLUDEMAIN119120int main(int argc, char * argv[])121{122 /* seed randomness */123 srand( (unsigned)time(NULL) );124#ifndef OMITGOOD125 printLine("Calling good()...");126 CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_07_good();127 printLine("Finished good()");128#endif /* OMITGOOD */129#ifndef OMITBAD130 printLine("Calling bad()...");131 CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_07_bad();132 printLine("Finished bad()");133#endif /* OMITBAD */134 return 0;135}136137#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 2 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__placement_new_10.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__placement_new.label.xml4Template File: sources-sinks-10.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data to a small buffer10 * GoodSource: Initialize data to a buffer large enough to hold a TwoIntsClass11 * Sinks:12 * GoodSink: Allocate a new class using placement new and a buffer that is large enough to hold the class13 * BadSink : Allocate a new class using placement new and a buffer that is too small14 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)15 *16 * */1718#include "std_testcase.h"1920namespace CWE122_Heap_Based_Buffer_Overflow__placement_new_1021{2223#ifndef OMITBAD2425void bad()26{✓ 27 char * data;✓ 28 char * dataBadBuffer = (char *)malloc(sizeof(OneIntClass));✓ 29 if (dataBadBuffer == NULL) {exit(-1);}✓ 30 char * dataGoodBuffer = (char *)malloc(sizeof(TwoIntsClass));✓ 31 if (dataGoodBuffer == NULL) {exit(-1);}✓ 32 if(globalTrue)33 {34 /* POTENTIAL FLAW: Initialize data to a buffer small than the sizeof(TwoIntsClass) */✓ 35 data = dataBadBuffer;36 }✓ 37 if(globalTrue)38 {39 {40 /* The Visual C++ compiler generates a warning if you initialize the class with ().41 * This will cause the compile to default-initialize the object.42 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx43 */44 /* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */✓ 45 TwoIntsClass * classTwo = new(data) TwoIntsClass;46 /* Initialize and make use of the class */✗ 47 classTwo->intOne = 5;✓ 48 classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */❗VULN✓ 49 printIntLine(classTwo->intOne);50 /* skip printing classTwo->intTwo since that could be a buffer overread */✓ 51 free(data);52 }53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodB2G1() - use badsource and goodsink by changing the second globalTrue to globalFalse */61static void goodB2G1()62{63 char * data;64 char * dataBadBuffer = (char *)malloc(sizeof(OneIntClass));65 if (dataBadBuffer == NULL) {exit(-1);}66 char * dataGoodBuffer = (char *)malloc(sizeof(TwoIntsClass));67 if (dataGoodBuffer == NULL) {exit(-1);}68 if(globalTrue)69 {70 /* POTENTIAL FLAW: Initialize data to a buffer small than the sizeof(TwoIntsClass) */71 data = dataBadBuffer;72 }73 if(globalFalse)74 {75 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */76 printLine("Benign, fixed string");77 }78 else79 {80 {81 /* The Visual C++ compiler generates a warning if you initialize the class with ().82 * This will cause the compile to default-initialize the object.83 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx84 */85 /* FIX: data will at least be the sizeof(OneIntClass) */86 OneIntClass * classOne = new(data) OneIntClass;87 /* Initialize and make use of the class */88 classOne->intOne = 5;89 printIntLine(classOne->intOne);90 free(data);91 }92 }93}9495/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */96static void goodB2G2()97{98 char * data;99 char * dataBadBuffer = (char *)malloc(sizeof(OneIntClass));100 if (dataBadBuffer == NULL) {exit(-1);}101 char * dataGoodBuffer = (char *)malloc(sizeof(TwoIntsClass));102 if (dataGoodBuffer == NULL) {exit(-1);}103 if(globalTrue)104 {105 /* POTENTIAL FLAW: Initialize data to a buffer small than the sizeof(TwoIntsClass) */106 data = dataBadBuffer;107 }108 if(globalTrue)109 {110 {111 /* The Visual C++ compiler generates a warning if you initialize the class with ().112 * This will cause the compile to default-initialize the object.113 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx114 */115 /* FIX: data will at least be the sizeof(OneIntClass) */116 OneIntClass * classOne = new(data) OneIntClass;117 /* Initialize and make use of the class */118 classOne->intOne = 5;119 printIntLine(classOne->intOne);120 free(data);121 }122 }123}124125/* goodG2B1() - use goodsource and badsink by changing the first globalTrue to globalFalse */126static void goodG2B1()127{128 char * data;129 char * dataBadBuffer = (char *)malloc(sizeof(OneIntClass));130 if (dataBadBuffer == NULL) {exit(-1);}131 char * dataGoodBuffer = (char *)malloc(sizeof(TwoIntsClass));132 if (dataGoodBuffer == NULL) {exit(-1);}133 if(globalFalse)134 {135 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */136 printLine("Benign, fixed string");137 }138 else139 {140 /* FIX: Initialize to a buffer at least the sizeof(TwoIntsClass) */141 data = dataGoodBuffer;142 }143 if(globalTrue)144 {145 {146 /* The Visual C++ compiler generates a warning if you initialize the class with ().147 * This will cause the compile to default-initialize the object.148 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx149 */150 /* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */151 TwoIntsClass * classTwo = new(data) TwoIntsClass;152 /* Initialize and make use of the class */153 classTwo->intOne = 5;154 classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */155 printIntLine(classTwo->intOne);156 /* skip printing classTwo->intTwo since that could be a buffer overread */157 free(data);158 }159 }160}161162/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */163static void goodG2B2()164{165 char * data;166 char * dataBadBuffer = (char *)malloc(sizeof(OneIntClass));167 if (dataBadBuffer == NULL) {exit(-1);}168 char * dataGoodBuffer = (char *)malloc(sizeof(TwoIntsClass));169 if (dataGoodBuffer == NULL) {exit(-1);}170 if(globalTrue)171 {172 /* FIX: Initialize to a buffer at least the sizeof(TwoIntsClass) */173 data = dataGoodBuffer;174 }175 if(globalTrue)176 {177 {178 /* The Visual C++ compiler generates a warning if you initialize the class with ().179 * This will cause the compile to default-initialize the object.180 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx181 */182 /* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */183 TwoIntsClass * classTwo = new(data) TwoIntsClass;184 /* Initialize and make use of the class */185 classTwo->intOne = 5;186 classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */187 printIntLine(classTwo->intOne);188 /* skip printing classTwo->intTwo since that could be a buffer overread */189 free(data);190 }191 }192}193194void good()195{196 goodB2G1();197 goodB2G2();198 goodG2B1();199 goodG2B2();200}201202#endif /* OMITGOOD */203204} /* close namespace */205206/* Below is the main(). It is only used when building this testcase on207 its own for testing or for building a binary to use in testing binary208 analysis tools. It is not used when compiling all the testcases as one209 application, which is how source code analysis tools are tested. */210211#ifdef INCLUDEMAIN212213using namespace CWE122_Heap_Based_Buffer_Overflow__placement_new_10; /* so that we can use good and bad easily */214215int main(int argc, char * argv[])216{217 /* seed randomness */218 srand( (unsigned)time(NULL) );219#ifndef OMITGOOD220 printLine("Calling good()...");221 good();222 printLine("Finished good()");223#endif /* OMITGOOD */224#ifndef OMITBAD225 printLine("Calling bad()...");226 bad();227 printLine("Finished bad()");228#endif /* OMITBAD */229 return 0;230}231232#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memcpy_17.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml4Template File: sources-sink-17.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 17 Control flow: for loops14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memcpy_17_bad()24{✓ 25 int i;✓ 26 wchar_t * data;✓ 27 data = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 28 if (data == NULL) {exit(-1);}✓ 29 for(i = 0; i < 1; i++)30 {31 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 32 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 33 data[100-1] = L'\0'; /* null terminate */34 }35 {✓ 36 wchar_t dest[50] = L"";37 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 38 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN✓ 39 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 40 printWLine(data);✓ 41 free(data);42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */50static void goodG2B()51{52 int h;53 wchar_t * data;54 data = (wchar_t *)malloc(100*sizeof(wchar_t));55 if (data == NULL) {exit(-1);}56 for(h = 0; h < 1; h++)57 {58 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */59 wmemset(data, L'A', 50-1); /* fill with L'A's */60 data[50-1] = L'\0'; /* null terminate */61 }62 {63 wchar_t dest[50] = L"";64 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */65 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));66 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */67 printWLine(data);68 free(data);69 }70}7172void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memcpy_17_good()73{74 goodG2B();75}7677#endif /* OMITGOOD */7879/* Below is the main(). It is only used when building this testcase on80 * its own for testing or for building a binary to use in testing binary81 * analysis tools. It is not used when compiling all the testcases as one82 * application, which is how source code analysis tools are tested.83 */8485#ifdef INCLUDEMAIN8687int main(int argc, char * argv[])88{89 /* seed randomness */90 srand( (unsigned)time(NULL) );91#ifndef OMITGOOD92 printLine("Calling good()...");93 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memcpy_17_good();94 printLine("Finished good()");95#endif /* OMITGOOD */96#ifndef OMITBAD97 printLine("Calling bad()...");98 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memcpy_17_bad();99 printLine("Finished bad()");100#endif /* OMITBAD */101 return 0;102}103104#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 8 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memmove_05.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml4Template File: sources-sink-05.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sink: memmove12 * BadSink : Copy string to data using memmove()13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526/* The two variables below are not defined as "const", but are never27 assigned any other value, so a tool should be able to identify that28 reads of these will always return their initialized values. */29static int staticTrue = 1; /* true */30static int staticFalse = 0; /* false */3132namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memmove_0533{3435#ifndef OMITBAD3637void bad()38{✓ 39 char * data;✓ 40 data = NULL;✓ 41 if(staticTrue)42 {43 /* FLAW: Did not leave space for a null terminator */✓ 44 data = new char[10];45 }46 {✓ 47 char source[10+1] = SRC_STRING;48 /* Copy length + 1 to include NUL terminator from source */49 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 50 memmove(data, source, (strlen(source) + 1) * sizeof(char));❗VULN✓ 51 printLine(data);✓ 52 delete [] data;53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */61static void goodG2B1()62{63 char * data;64 data = NULL;65 if(staticFalse)66 {67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */68 printLine("Benign, fixed string");69 }70 else71 {72 /* FIX: Allocate space for a null terminator */73 data = new char[10+1];74 }75 {76 char source[10+1] = SRC_STRING;77 /* Copy length + 1 to include NUL terminator from source */78 /* POTENTIAL FLAW: data may not have enough space to hold source */79 memmove(data, source, (strlen(source) + 1) * sizeof(char));80 printLine(data);81 delete [] data;82 }83}8485/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */86static void goodG2B2()87{88 char * data;89 data = NULL;90 if(staticTrue)91 {92 /* FIX: Allocate space for a null terminator */93 data = new char[10+1];94 }95 {96 char source[10+1] = SRC_STRING;97 /* Copy length + 1 to include NUL terminator from source */98 /* POTENTIAL FLAW: data may not have enough space to hold source */99 memmove(data, source, (strlen(source) + 1) * sizeof(char));100 printLine(data);101 delete [] data;102 }103}104105void good()106{107 goodG2B1();108 goodG2B2();109}110111#endif /* OMITGOOD */112113} /* close namespace */114115/* Below is the main(). It is only used when building this testcase on116 its own for testing or for building a binary to use in testing binary117 analysis tools. It is not used when compiling all the testcases as one118 application, which is how source code analysis tools are tested. */119120#ifdef INCLUDEMAIN121122using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memmove_05; /* so that we can use good and bad easily */123124int main(int argc, char * argv[])125{126 /* seed randomness */127 srand( (unsigned)time(NULL) );128#ifndef OMITGOOD129 printLine("Calling good()...");130 good();131 printLine("Finished good()");132#endif /* OMITGOOD */133#ifndef OMITBAD134 printLine("Calling bad()...");135 bad();136 printLine("Finished bad()");137#endif /* OMITBAD */138 return 0;139}140141#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml4Template File: sources-sink-34.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Point data to a buffer that does not have space for a NULL terminator10 * GoodSource: Point data to a buffer that includes space for a NULL terminator11 * Sinks: ncpy12 * BadSink : Copy string to data using strncpy()13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526typedef union27{28 char * unionFirst;29 char * unionSecond;30} CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_unionType;3132#ifndef OMITBAD3334void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_bad()35{✓ 36 char * data;✓ 37 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_unionType myUnion;✓ 38 char dataBadBuffer[10];✓ 39 char dataGoodBuffer[10+1];40 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing41 * string copies in the sinks */✓ 42 data = dataBadBuffer;✓ 43 data[0] = '\0'; /* null terminate */✓ 44 myUnion.unionFirst = data;45 {✓ 46 char * data = myUnion.unionSecond;47 {✓ 48 char source[10+1] = SRC_STRING;49 /* Copy length + 1 to include NUL terminator from source */50 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 51 strncpy(data, source, strlen(source) + 1);❗VULN✓ 52 printLine(data);53 }54 }55}5657#endif /* OMITBAD */5859#ifndef OMITGOOD6061/* goodG2B() uses the GoodSource with the BadSink */62static void goodG2B()63{64 char * data;65 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_unionType myUnion;66 char dataBadBuffer[10];67 char dataGoodBuffer[10+1];68 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing69 * string copies in the sinks */70 data = dataGoodBuffer;71 data[0] = '\0'; /* null terminate */72 myUnion.unionFirst = data;73 {74 char * data = myUnion.unionSecond;75 {76 char source[10+1] = SRC_STRING;77 /* Copy length + 1 to include NUL terminator from source */78 /* POTENTIAL FLAW: data may not have enough space to hold source */79 strncpy(data, source, strlen(source) + 1);80 printLine(data);81 }82 }83}8485void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_good()86{87 goodG2B();88}8990#endif /* OMITGOOD */9192/* Below is the main(). It is only used when building this testcase on93 * its own for testing or for building a binary to use in testing binary94 * analysis tools. It is not used when compiling all the testcases as one95 * application, which is how source code analysis tools are tested.96 */97#ifdef INCLUDEMAIN9899int main(int argc, char * argv[])100{101 /* seed randomness */102 srand( (unsigned)time(NULL) );103#ifndef OMITGOOD104 printLine("Calling good()...");105 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_good();106 printLine("Finished good()");107#endif /* OMITGOOD */108#ifndef OMITBAD109 printLine("Calling bad()...");110 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_bad();111 printLine("Finished bad()");112#endif /* OMITBAD */113 return 0;114}115116#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 19 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_18.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-18.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: loop12 * BadSink : Copy twoIntsStruct array to data using a loop13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_18_bad()22{✓ 23 twoIntsStruct * data;✓ 24 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));✓ 25 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));✓ 26 goto source;✓ 27source:28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination29 * buffer in various memory copying functions using a "large" source buffer. */✓ 30 data = dataBadBuffer;31 {✓ 32 twoIntsStruct source[100];33 {✓ 34 size_t i;35 /* Initialize array */✓ 36 for (i = 0; i < 100; i++)37 {✓ 38 source[i].intOne = 0;✓ 39 source[i].intTwo = 0;40 }41 }42 {✓ 43 size_t i;44 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 45 for (i = 0; i < 100; i++)46 {✓ 47 data[i] = source[i];❗VULN48 }✓ 49 printStructLine(&data[0]);50 }51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */59static void goodG2B()60{61 twoIntsStruct * data;62 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));63 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));64 goto source;65source:66 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */67 data = dataGoodBuffer;68 {69 twoIntsStruct source[100];70 {71 size_t i;72 /* Initialize array */73 for (i = 0; i < 100; i++)74 {75 source[i].intOne = 0;76 source[i].intTwo = 0;77 }78 }79 {80 size_t i;81 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */82 for (i = 0; i < 100; i++)83 {84 data[i] = source[i];85 }86 printStructLine(&data[0]);87 }88 }89}9091void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_18_good()92{93 goodG2B();94}9596#endif /* OMITGOOD */9798/* Below is the main(). It is only used when building this testcase on99 * its own for testing or for building a binary to use in testing binary100 * analysis tools. It is not used when compiling all the testcases as one101 * application, which is how source code analysis tools are tested.102 */103104#ifdef INCLUDEMAIN105106int main(int argc, char * argv[])107{108 /* seed randomness */109 srand( (unsigned)time(NULL) );110#ifndef OMITGOOD111 printLine("Calling good()...");112 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_18_good();113 printLine("Finished good()");114#endif /* OMITGOOD */115#ifndef OMITBAD116 printLine("Calling bad()...");117 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_18_bad();118 printLine("Finished bad()");119#endif /* OMITBAD */120 return 0;121}122123#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__wchar_t_declare_memcpy_05.c3Label Definition File: CWE126_Buffer_Overread.stack.label.xml4Template File: sources-sink-05.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Set data pointer to a small buffer10 * GoodSource: Set data pointer to a large buffer11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are not defined as "const", but are never22 * assigned any other value, so a tool should be able to identify that23 * reads of these will always return their initialized values.24 */25static int staticTrue = 1; /* true */26static int staticFalse = 0; /* false */2728#ifndef OMITBAD2930void CWE126_Buffer_Overread__wchar_t_declare_memcpy_05_bad()31{✓ 32 wchar_t * data;✓ 33 wchar_t dataBadBuffer[50];✓ 34 wchar_t dataGoodBuffer[100];✓ 35 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */✓ 36 dataBadBuffer[50-1] = L'\0'; /* null terminate */✓ 37 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */✓ 38 dataGoodBuffer[100-1] = L'\0'; /* null terminate */✓ 39 if(staticTrue)40 {41 /* FLAW: Set data pointer to a small buffer */✓ 42 data = dataBadBuffer;43 }44 {✓ 45 wchar_t dest[100];✓ 46 wmemset(dest, L'C', 100-1);✓ 47 dest[100-1] = L'\0'; /* null terminate */48 /* POTENTIAL FLAW: using memcpy with the length of the dest where data49 * could be smaller than dest causing buffer overread */✓ 50 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN✓ 51 dest[100-1] = L'\0';✓ 52 printWLine(dest);53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */61static void goodG2B1()62{63 wchar_t * data;64 wchar_t dataBadBuffer[50];65 wchar_t dataGoodBuffer[100];66 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */67 dataBadBuffer[50-1] = L'\0'; /* null terminate */68 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */69 dataGoodBuffer[100-1] = L'\0'; /* null terminate */70 if(staticFalse)71 {72 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */73 printLine("Benign, fixed string");74 }75 else76 {77 /* FIX: Set data pointer to a large buffer */78 data = dataGoodBuffer;79 }80 {81 wchar_t dest[100];82 wmemset(dest, L'C', 100-1);83 dest[100-1] = L'\0'; /* null terminate */84 /* POTENTIAL FLAW: using memcpy with the length of the dest where data85 * could be smaller than dest causing buffer overread */86 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));87 dest[100-1] = L'\0';88 printWLine(dest);89 }90}9192/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */93static void goodG2B2()94{95 wchar_t * data;96 wchar_t dataBadBuffer[50];97 wchar_t dataGoodBuffer[100];98 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */99 dataBadBuffer[50-1] = L'\0'; /* null terminate */100 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */101 dataGoodBuffer[100-1] = L'\0'; /* null terminate */102 if(staticTrue)103 {104 /* FIX: Set data pointer to a large buffer */105 data = dataGoodBuffer;106 }107 {108 wchar_t dest[100];109 wmemset(dest, L'C', 100-1);110 dest[100-1] = L'\0'; /* null terminate */111 /* POTENTIAL FLAW: using memcpy with the length of the dest where data112 * could be smaller than dest causing buffer overread */113 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));114 dest[100-1] = L'\0';115 printWLine(dest);116 }117}118119void CWE126_Buffer_Overread__wchar_t_declare_memcpy_05_good()120{121 goodG2B1();122 goodG2B2();123}124125#endif /* OMITGOOD */126127/* Below is the main(). It is only used when building this testcase on128 * its own for testing or for building a binary to use in testing binary129 * analysis tools. It is not used when compiling all the testcases as one130 * application, which is how source code analysis tools are tested.131 */132133#ifdef INCLUDEMAIN134135int main(int argc, char * argv[])136{137 /* seed randomness */138 srand( (unsigned)time(NULL) );139#ifndef OMITGOOD140 printLine("Calling good()...");141 CWE126_Buffer_Overread__wchar_t_declare_memcpy_05_good();142 printLine("Finished good()");143#endif /* OMITGOOD */144#ifndef OMITBAD145 printLine("Calling bad()...");146 CWE126_Buffer_Overread__wchar_t_declare_memcpy_05_bad();147 printLine("Finished bad()");148#endif /* OMITBAD */149 return 0;150}151152#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml4Template File: sources-sink-34.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sinks: ncpy12 * BadSink : Copy string to data using wcsncpy13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021typedef union22{23 wchar_t * unionFirst;24 wchar_t * unionSecond;25} CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_unionType;2627#ifndef OMITBAD2829void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_bad()30{✓ 31 wchar_t * data;✓ 32 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_unionType myUnion;✓ 33 data = NULL;34 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 35 data = (wchar_t *)malloc(50*sizeof(wchar_t));✓ 36 if (data == NULL) {exit(-1);}✓ 37 data[0] = L'\0'; /* null terminate */✓ 38 myUnion.unionFirst = data;39 {✓ 40 wchar_t * data = myUnion.unionSecond;41 {✓ 42 wchar_t source[100];✓ 43 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 44 source[100-1] = L'\0'; /* null terminate */45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 46 wcsncpy(data, source, 100-1);❗VULN✓ 47 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 48 printWLine(data);✓ 49 free(data);50 }51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B() uses the GoodSource with the BadSink */59static void goodG2B()60{61 wchar_t * data;62 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_unionType myUnion;63 data = NULL;64 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */65 data = (wchar_t *)malloc(100*sizeof(wchar_t));66 if (data == NULL) {exit(-1);}67 data[0] = L'\0'; /* null terminate */68 myUnion.unionFirst = data;69 {70 wchar_t * data = myUnion.unionSecond;71 {72 wchar_t source[100];73 wmemset(source, L'C', 100-1); /* fill with L'C's */74 source[100-1] = L'\0'; /* null terminate */75 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */76 wcsncpy(data, source, 100-1);77 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */78 printWLine(data);79 free(data);80 }81 }82}8384void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_good()85{86 goodG2B();87}8889#endif /* OMITGOOD */9091/* Below is the main(). It is only used when building this testcase on92 * its own for testing or for building a binary to use in testing binary93 * analysis tools. It is not used when compiling all the testcases as one94 * application, which is how source code analysis tools are tested.95 */96#ifdef INCLUDEMAIN9798int main(int argc, char * argv[])99{100 /* seed randomness */101 srand( (unsigned)time(NULL) );102#ifndef OMITGOOD103 printLine("Calling good()...");104 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_good();105 printLine("Finished good()");106#endif /* OMITGOOD */107#ifndef OMITBAD108 printLine("Calling bad()...");109 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_bad();110 printLine("Finished bad()");111#endif /* OMITBAD */112 return 0;113}114115#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__new_wchar_t_memmove_11.cpp3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml4Template File: sources-sink-11.tmpl.cpp5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memmove12 * BadSink : Copy string to data using memmove13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE124_Buffer_Underwrite__new_wchar_t_memmove_1122{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 data = NULL;✓ 30 if(globalReturnsTrue())31 {32 {✓ 33 wchar_t * dataBuffer = new wchar_t[100];✓ 34 wmemset(dataBuffer, L'A', 100-1);✓ 35 dataBuffer[100-1] = L'\0';36 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 37 data = dataBuffer - 8;38 }39 }40 {✓ 41 wchar_t source[100];✓ 42 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 43 source[100-1] = L'\0'; /* null terminate */44 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 45 memmove(data, source, 100*sizeof(wchar_t));❗VULN46 /* Ensure the destination buffer is null terminated */✓ 47 data[100-1] = L'\0';✓ 48 printWLine(data);49 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location50 * returned by new [] so can't safely call delete [] on it */51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */59static void goodG2B1()60{61 wchar_t * data;62 data = NULL;63 if(globalReturnsFalse())64 {65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */66 printLine("Benign, fixed string");67 }68 else69 {70 {71 wchar_t * dataBuffer = new wchar_t[100];72 wmemset(dataBuffer, L'A', 100-1);73 dataBuffer[100-1] = L'\0';74 /* FIX: Set data pointer to the allocated memory buffer */75 data = dataBuffer;76 }77 }78 {79 wchar_t source[100];80 wmemset(source, L'C', 100-1); /* fill with 'C's */81 source[100-1] = L'\0'; /* null terminate */82 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */83 memmove(data, source, 100*sizeof(wchar_t));84 /* Ensure the destination buffer is null terminated */85 data[100-1] = L'\0';86 printWLine(data);87 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location88 * returned by new [] so can't safely call delete [] on it */89 }90}9192/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */93static void goodG2B2()94{95 wchar_t * data;96 data = NULL;97 if(globalReturnsTrue())98 {99 {100 wchar_t * dataBuffer = new wchar_t[100];101 wmemset(dataBuffer, L'A', 100-1);102 dataBuffer[100-1] = L'\0';103 /* FIX: Set data pointer to the allocated memory buffer */104 data = dataBuffer;105 }106 }107 {108 wchar_t source[100];109 wmemset(source, L'C', 100-1); /* fill with 'C's */110 source[100-1] = L'\0'; /* null terminate */111 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */112 memmove(data, source, 100*sizeof(wchar_t));113 /* Ensure the destination buffer is null terminated */114 data[100-1] = L'\0';115 printWLine(data);116 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location117 * returned by new [] so can't safely call delete [] on it */118 }119}120121void good()122{123 goodG2B1();124 goodG2B2();125}126127#endif /* OMITGOOD */128129} /* close namespace */130131/* Below is the main(). It is only used when building this testcase on132 its own for testing or for building a binary to use in testing binary133 analysis tools. It is not used when compiling all the testcases as one134 application, which is how source code analysis tools are tested. */135136#ifdef INCLUDEMAIN137138using namespace CWE124_Buffer_Underwrite__new_wchar_t_memmove_11; /* so that we can use good and bad easily */139140int main(int argc, char * argv[])141{142 /* seed randomness */143 srand( (unsigned)time(NULL) );144#ifndef OMITGOOD145 printLine("Calling good()...");146 good();147 printLine("Finished good()");148#endif /* OMITGOOD */149#ifndef OMITBAD150 printLine("Calling bad()...");151 bad();152 printLine("Finished bad()");153#endif /* OMITBAD */154 return 0;155}156157#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 8 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_06.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow.label.xml4Template File: point-flaw-06.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * Sinks: type_overrun_memcpy10 * GoodSink: Perform the memcpy() and prevent overwriting part of the structure11 * BadSink : Overwrite part of the structure by incorrectly using the sizeof(struct) in memcpy()12 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)13 *14 * */1516#include "std_testcase.h"1718#ifndef _WIN3219#include <wchar.h>20#endif2122/* SRC_STR is 32 wchar_t long, including the null terminator, for 64-bit architectures */23#define SRC_STR L"0123456789abcdef0123456789abcde"2425typedef struct _charVoid26{27 wchar_t charFirst[16];28 void * voidSecond;29 void * voidThird;30} charVoid;3132/* The variable below is declared "const", so a tool should be able33 to identify that reads of this will always give its initialized34 value. */35static const int STATIC_CONST_FIVE = 5;3637#ifndef OMITBAD3839void CWE121_Stack_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_06_bad()40{✓ 41 if(STATIC_CONST_FIVE==5)42 {43 {✓ 44 charVoid structCharVoid;✓ 45 structCharVoid.voidSecond = (void *)SRC_STR;46 /* Print the initial block pointed to by structCharVoid.voidSecond */✓ 47 printWLine((wchar_t *)structCharVoid.voidSecond);48 /* FLAW: Use the sizeof(structCharVoid) which will overwrite the pointer voidSecond */✓ 49 memcpy(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid));❗VULN✓ 50 structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(wchar_t))-1] = L'\0'; /* null terminate the string */✓ 51 printWLine((wchar_t *)structCharVoid.charFirst);✓ 52 printWLine((wchar_t *)structCharVoid.voidSecond);53 }54 }55}5657#endif /* OMITBAD */5859#ifndef OMITGOOD6061/* good1() uses if(STATIC_CONST_FIVE!=5) instead of if(STATIC_CONST_FIVE==5) */62static void good1()63{64 if(STATIC_CONST_FIVE!=5)65 {66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */67 printLine("Benign, fixed string");68 }69 else70 {71 {72 charVoid structCharVoid;73 structCharVoid.voidSecond = (void *)SRC_STR;74 /* Print the initial block pointed to by structCharVoid.voidSecond */75 printWLine((wchar_t *)structCharVoid.voidSecond);76 /* FIX: Use sizeof(structCharVoid.charFirst) to avoid overwriting the pointer voidSecond */77 memcpy(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid.charFirst));78 structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(wchar_t))-1] = L'\0'; /* null terminate the string */79 printWLine((wchar_t *)structCharVoid.charFirst);80 printWLine((wchar_t *)structCharVoid.voidSecond);81 }82 }83}8485/* good2() reverses the bodies in the if statement */86static void good2()87{88 if(STATIC_CONST_FIVE==5)89 {90 {91 charVoid structCharVoid;92 structCharVoid.voidSecond = (void *)SRC_STR;93 /* Print the initial block pointed to by structCharVoid.voidSecond */94 printWLine((wchar_t *)structCharVoid.voidSecond);95 /* FIX: Use sizeof(structCharVoid.charFirst) to avoid overwriting the pointer voidSecond */96 memcpy(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid.charFirst));97 structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(wchar_t))-1] = L'\0'; /* null terminate the string */98 printWLine((wchar_t *)structCharVoid.charFirst);99 printWLine((wchar_t *)structCharVoid.voidSecond);100 }101 }102}103104void CWE121_Stack_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_06_good()105{106 good1();107 good2();108}109110#endif /* OMITGOOD */111112/* Below is the main(). It is only used when building this testcase on113 its own for testing or for building a binary to use in testing binary114 analysis tools. It is not used when compiling all the testcases as one115 application, which is how source code analysis tools are tested. */116117#ifdef INCLUDEMAIN118119int main(int argc, char * argv[])120{121 /* seed randomness */122 srand( (unsigned)time(NULL) );123#ifndef OMITGOOD124 printLine("Calling good()...");125 CWE121_Stack_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_06_good();126 printLine("Finished good()");127#endif /* OMITGOOD */128#ifndef OMITBAD129 printLine("Calling bad()...");130 CWE121_Stack_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_06_bad();131 printLine("Finished bad()");132#endif /* OMITBAD */133 return 0;134}135136#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_16.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml4Template File: sources-sink-16.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sink: loop12 * BadSink : Copy array to data using a loop13 * Flow Variant: 16 Control flow: while(1)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_1627{2829#ifndef OMITBAD3031void bad()32{✓ 33 char * data;✓ 34 data = NULL;✓ 35 while(1)36 {37 /* FLAW: Did not leave space for a null terminator */✓ 38 data = new char[10];✓ 39 break;40 }41 {✓ 42 char source[10+1] = SRC_STRING;✓ 43 size_t i, sourceLen;✓ 44 sourceLen = strlen(source);45 /* Copy length + 1 to include NUL terminator from source */46 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 47 for (i = 0; i < sourceLen + 1; i++)48 {✓ 49 data[i] = source[i];❗VULN50 }✓ 51 printLine(data);✓ 52 delete [] data;53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */61static void goodG2B()62{63 char * data;64 data = NULL;65 while(1)66 {67 /* FIX: Allocate space for a null terminator */68 data = new char[10+1];69 break;70 }71 {72 char source[10+1] = SRC_STRING;73 size_t i, sourceLen;74 sourceLen = strlen(source);75 /* Copy length + 1 to include NUL terminator from source */76 /* POTENTIAL FLAW: data may not have enough space to hold source */77 for (i = 0; i < sourceLen + 1; i++)78 {79 data[i] = source[i];80 }81 printLine(data);82 delete [] data;83 }84}8586void good()87{88 goodG2B();89}9091#endif /* OMITGOOD */9293} /* close namespace */9495/* Below is the main(). It is only used when building this testcase on96 its own for testing or for building a binary to use in testing binary97 analysis tools. It is not used when compiling all the testcases as one98 application, which is how source code analysis tools are tested. */99100#ifdef INCLUDEMAIN101102using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_16; /* so that we can use good and bad easily */103104int main(int argc, char * argv[])105{106 /* seed randomness */107 srand( (unsigned)time(NULL) );108#ifndef OMITGOOD109 printLine("Calling good()...");110 good();111 printLine("Finished good()");112#endif /* OMITGOOD */113#ifndef OMITBAD114 printLine("Calling bad()...");115 bad();116 printLine("Finished bad()");117#endif /* OMITBAD */118 return 0;119}120121#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__wchar_t_declare_ncpy_32.c3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml4Template File: sources-sink-32.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: ncpy12 * BadSink : Copy string to data using wcsncpy13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__wchar_t_declare_ncpy_32_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * *dataPtr1 = &data;✓ 27 wchar_t * *dataPtr2 = &data;✓ 28 wchar_t dataBuffer[100];✓ 29 wmemset(dataBuffer, L'A', 100-1);✓ 30 dataBuffer[100-1] = L'\0';31 {✓ 32 wchar_t * data = *dataPtr1;33 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 34 data = dataBuffer - 8;✓ 35 *dataPtr1 = data;36 }37 {✓ 38 wchar_t * data = *dataPtr2;39 {✓ 40 wchar_t source[100];✓ 41 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 42 source[100-1] = L'\0'; /* null terminate */43 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 44 wcsncpy(data, source, 100-1);❗VULN45 /* Ensure the destination buffer is null terminated */✓ 46 data[100-1] = L'\0';✓ 47 printWLine(data);48 }49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B() uses the GoodSource with the BadSink */57static void goodG2B()58{59 wchar_t * data;60 wchar_t * *dataPtr1 = &data;61 wchar_t * *dataPtr2 = &data;62 wchar_t dataBuffer[100];63 wmemset(dataBuffer, L'A', 100-1);64 dataBuffer[100-1] = L'\0';65 {66 wchar_t * data = *dataPtr1;67 /* FIX: Set data pointer to the allocated memory buffer */68 data = dataBuffer;69 *dataPtr1 = data;70 }71 {72 wchar_t * data = *dataPtr2;73 {74 wchar_t source[100];75 wmemset(source, L'C', 100-1); /* fill with 'C's */76 source[100-1] = L'\0'; /* null terminate */77 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */78 wcsncpy(data, source, 100-1);79 /* Ensure the destination buffer is null terminated */80 data[100-1] = L'\0';81 printWLine(data);82 }83 }84}8586void CWE124_Buffer_Underwrite__wchar_t_declare_ncpy_32_good()87{88 goodG2B();89}9091#endif /* OMITGOOD */9293/* Below is the main(). It is only used when building this testcase on94 * its own for testing or for building a binary to use in testing binary95 * analysis tools. It is not used when compiling all the testcases as one96 * application, which is how source code analysis tools are tested.97 */98#ifdef INCLUDEMAIN99100int main(int argc, char * argv[])101{102 /* seed randomness */103 srand( (unsigned)time(NULL) );104#ifndef OMITGOOD105 printLine("Calling good()...");106 CWE124_Buffer_Underwrite__wchar_t_declare_ncpy_32_good();107 printLine("Finished good()");108#endif /* OMITGOOD */109#ifndef OMITBAD110 printLine("Calling bad()...");111 CWE124_Buffer_Underwrite__wchar_t_declare_ncpy_32_bad();112 printLine("Finished bad()");113#endif /* OMITBAD */114 return 0;115}116117#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__malloc_wchar_t_memcpy_08.c3Label Definition File: CWE126_Buffer_Overread__malloc.label.xml4Template File: sources-sink-08.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Use a small buffer10 * GoodSource: Use a large buffer11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two function below always return the same value, so a tool22 * should be able to identify that calls to the functions will always23 * return a fixed value.24 */25static int staticReturnsTrue()26{27 return 1;28}2930static int staticReturnsFalse()31{32 return 0;33}3435#ifndef OMITBAD3637void CWE126_Buffer_Overread__malloc_wchar_t_memcpy_08_bad()38{✓ 39 wchar_t * data;✓ 40 data = NULL;✓ 41 if(staticReturnsTrue())42 {43 /* FLAW: Use a small buffer */✓ 44 data = (wchar_t *)malloc(50*sizeof(wchar_t));✓ 45 if (data == NULL) {exit(-1);}✓ 46 wmemset(data, L'A', 50-1); /* fill with 'A's */✓ 47 data[50-1] = L'\0'; /* null terminate */48 }49 {✓ 50 wchar_t dest[100];✓ 51 wmemset(dest, L'C', 100-1);✓ 52 dest[100-1] = L'\0'; /* null terminate */53 /* POTENTIAL FLAW: using memcpy with the length of the dest where data54 * could be smaller than dest causing buffer overread */✓ 55 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN✓ 56 dest[100-1] = L'\0';✓ 57 printWLine(dest);✓ 58 free(data);59 }60}6162#endif /* OMITBAD */6364#ifndef OMITGOOD6566/* goodG2B1() - use goodsource and badsink by changing the staticReturnsTrue() to staticReturnsFalse() */67static void goodG2B1()68{69 wchar_t * data;70 data = NULL;71 if(staticReturnsFalse())72 {73 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */74 printLine("Benign, fixed string");75 }76 else77 {78 /* FIX: Use a large buffer */79 data = (wchar_t *)malloc(100*sizeof(wchar_t));80 if (data == NULL) {exit(-1);}81 wmemset(data, L'A', 100-1); /* fill with 'A's */82 data[100-1] = L'\0'; /* null terminate */83 }84 {85 wchar_t dest[100];86 wmemset(dest, L'C', 100-1);87 dest[100-1] = L'\0'; /* null terminate */88 /* POTENTIAL FLAW: using memcpy with the length of the dest where data89 * could be smaller than dest causing buffer overread */90 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));91 dest[100-1] = L'\0';92 printWLine(dest);93 free(data);94 }95}9697/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */98static void goodG2B2()99{100 wchar_t * data;101 data = NULL;102 if(staticReturnsTrue())103 {104 /* FIX: Use a large buffer */105 data = (wchar_t *)malloc(100*sizeof(wchar_t));106 if (data == NULL) {exit(-1);}107 wmemset(data, L'A', 100-1); /* fill with 'A's */108 data[100-1] = L'\0'; /* null terminate */109 }110 {111 wchar_t dest[100];112 wmemset(dest, L'C', 100-1);113 dest[100-1] = L'\0'; /* null terminate */114 /* POTENTIAL FLAW: using memcpy with the length of the dest where data115 * could be smaller than dest causing buffer overread */116 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));117 dest[100-1] = L'\0';118 printWLine(dest);119 free(data);120 }121}122123void CWE126_Buffer_Overread__malloc_wchar_t_memcpy_08_good()124{125 goodG2B1();126 goodG2B2();127}128129#endif /* OMITGOOD */130131/* Below is the main(). It is only used when building this testcase on132 * its own for testing or for building a binary to use in testing binary133 * analysis tools. It is not used when compiling all the testcases as one134 * application, which is how source code analysis tools are tested.135 */136137#ifdef INCLUDEMAIN138139int main(int argc, char * argv[])140{141 /* seed randomness */142 srand( (unsigned)time(NULL) );143#ifndef OMITGOOD144 printLine("Calling good()...");145 CWE126_Buffer_Overread__malloc_wchar_t_memcpy_08_good();146 printLine("Finished good()");147#endif /* OMITGOOD */148#ifndef OMITBAD149 printLine("Calling bad()...");150 CWE126_Buffer_Overread__malloc_wchar_t_memcpy_08_bad();151 printLine("Finished bad()");152#endif /* OMITBAD */153 return 0;154}155156#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 8 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_memcpy_42.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-42.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 42 Data flow: data returned from one function to another in the same source file14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223static char * badSource(char * data)24{25 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */26 memset(data, 'A', 100-1); /* fill with 'A's */27 data[100-1] = '\0'; /* null terminate */28 return data;29}3031void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_memcpy_42_bad()32{✓ 33 char * data;✓ 34 char dataBuffer[100];✓ 35 data = dataBuffer;✓ 36 data = badSource(data);37 {✓ 38 char dest[50] = "";39 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 40 memcpy(dest, data, strlen(data)*sizeof(char));❗VULN✓ 41 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 42 printLine(data);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950static char * goodG2BSource(char * data)51{52 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */53 memset(data, 'A', 50-1); /* fill with 'A's */54 data[50-1] = '\0'; /* null terminate */55 return data;56}5758/* goodG2B uses the GoodSource with the BadSink */59static void goodG2B()60{61 char * data;62 char dataBuffer[100];63 data = dataBuffer;64 data = goodG2BSource(data);65 {66 char dest[50] = "";67 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */68 memcpy(dest, data, strlen(data)*sizeof(char));69 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */70 printLine(data);71 }72}7374void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_memcpy_42_good()75{76 goodG2B();77}7879#endif /* OMITGOOD */8081/* Below is the main(). It is only used when building this testcase on82 * its own for testing or for building a binary to use in testing binary83 * analysis tools. It is not used when compiling all the testcases as one84 * application, which is how source code analysis tools are tested.85 */8687#ifdef INCLUDEMAIN8889int main(int argc, char * argv[])90{91 /* seed randomness */92 srand( (unsigned)time(NULL) );93#ifndef OMITGOOD94 printLine("Calling good()...");95 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_memcpy_42_good();96 printLine("Finished good()");97#endif /* OMITGOOD */98#ifndef OMITBAD99 printLine("Calling bad()...");100 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_memcpy_42_bad();101 printLine("Finished bad()");102#endif /* OMITBAD */103 return 0;104}105106#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 51 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__CWE839_connect_socket_12.c3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml4Template File: sources-sinks-12.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: connect_socket Read data using a connect socket (client side)10 * GoodSource: Non-negative but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the lower bound14 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())15 *16 * */1718#include "std_testcase.h"1920#ifdef _WIN3221#include <winsock2.h>22#include <windows.h>23#include <direct.h>24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */25#define CLOSE_SOCKET closesocket26#else /* NOT _WIN32 */27#include <sys/types.h>28#include <sys/socket.h>29#include <netinet/in.h>30#include <arpa/inet.h>31#include <unistd.h>32#define INVALID_SOCKET -133#define SOCKET_ERROR -134#define CLOSE_SOCKET close35#define SOCKET int36#endif3738#define TCP_PORT 2701539#define IP_ADDRESS "127.0.0.1"40#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)4142#ifndef OMITBAD4344void CWE124_Buffer_Underwrite__CWE839_connect_socket_12_bad()45{✓ 46 int data;47 /* Initialize data */✓ 48 data = -1;✓ 49 if(globalReturnsTrueOrFalse())50 {51 {52#ifdef _WIN32✓ 53 WSADATA wsaData;✓ 54 int wsaDataInit = 0;55#endif✓ 56 int recvResult;✓ 57 struct sockaddr_in service;✓ 58 SOCKET connectSocket = INVALID_SOCKET;✓ 59 char inputBuffer[CHAR_ARRAY_SIZE];60 do61 {62#ifdef _WIN32✓ 63 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)64 {✓ 65 break;66 }✓ 67 wsaDataInit = 1;68#endif69 /* POTENTIAL FLAW: Read data using a connect socket */✓ 70 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);✓ 71 if (connectSocket == INVALID_SOCKET)72 {✓ 73 break;74 }✓ 75 memset(&service, 0, sizeof(service));✓ 76 service.sin_family = AF_INET;✓ 77 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);✓ 78 service.sin_port = htons(TCP_PORT);✓ 79 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)80 {✓ 81 break;82 }83 /* Abort on error or the connection was closed, make sure to recv one84 * less char than is in the recv_buf in order to append a terminator */✓ 85 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);✓ 86 if (recvResult == SOCKET_ERROR || recvResult == 0)87 {✓ 88 break;89 }90 /* NUL-terminate the string */✓ 91 inputBuffer[recvResult] = '\0';92 /* Convert to int */✓ 93 data = atoi(inputBuffer);94 }✓ 95 while (0);✓ 96 if (connectSocket != INVALID_SOCKET)97 {✓ 98 CLOSE_SOCKET(connectSocket);99 }100#ifdef _WIN32✓101 if (wsaDataInit)102 {✓103 WSACleanup();104 }105#endif106 }107 }108 else109 {110 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to111 * access an index of the array in the sink that is out-of-bounds */✓112 data = 7;113 }✓114 if(globalReturnsTrueOrFalse())115 {116 {✓117 int i;✓118 int buffer[10] = { 0 };119 /* POTENTIAL FLAW: Attempt to access a negative index of the array120 * This code does not check to see if the array index is negative */✓121 if (data < 10)122 {✓123 buffer[data] = 1;❗VULN124 /* Print the array values */✓125 for(i = 0; i < 10; i++)126 {✓127 printIntLine(buffer[i]);128 }129 }130 else131 {✓132 printLine("ERROR: Array index is negative.");133 }134 }135 }136 else137 {138 {✓139 int i;✓140 int buffer[10] = { 0 };141 /* FIX: Properly validate the array index and prevent a buffer underwrite */✓142 if (data >= 0 && data < (10))143 {✓144 buffer[data] = 1;145 /* Print the array values */✓146 for(i = 0; i < 10; i++)147 {✓148 printIntLine(buffer[i]);149 }150 }151 else152 {✓153 printLine("ERROR: Array index is out-of-bounds");154 }155 }156 }157}158159#endif /* OMITBAD */160161#ifndef OMITGOOD162163/* goodB2G() - use badsource and goodsink by changing the first "if" so that164 both branches use the BadSource and the second "if" so that both branches165 use the GoodSink */166static void goodB2G()167{168 int data;169 /* Initialize data */170 data = -1;171 if(globalReturnsTrueOrFalse())172 {173 {174#ifdef _WIN32175 WSADATA wsaData;176 int wsaDataInit = 0;177#endif178 int recvResult;179 struct sockaddr_in service;180 SOCKET connectSocket = INVALID_SOCKET;181 char inputBuffer[CHAR_ARRAY_SIZE];182 do183 {184#ifdef _WIN32185 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)186 {187 break;188 }189 wsaDataInit = 1;190#endif191 /* POTENTIAL FLAW: Read data using a connect socket */192 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);193 if (connectSocket == INVALID_SOCKET)194 {195 break;196 }197 memset(&service, 0, sizeof(service));198 service.sin_family = AF_INET;199 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);200 service.sin_port = htons(TCP_PORT);201 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)202 {203 break;204 }205 /* Abort on error or the connection was closed, make sure to recv one206 * less char than is in the recv_buf in order to append a terminator */207 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);208 if (recvResult == SOCKET_ERROR || recvResult == 0)209 {210 break;211 }212 /* NUL-terminate the string */213 inputBuffer[recvResult] = '\0';214 /* Convert to int */215 data = atoi(inputBuffer);216 }217 while (0);218 if (connectSocket != INVALID_SOCKET)219 {220 CLOSE_SOCKET(connectSocket);221 }222#ifdef _WIN32223 if (wsaDataInit)224 {225 WSACleanup();226 }227#endif228 }229 }230 else231 {232 {233#ifdef _WIN32234 WSADATA wsaData;235 int wsaDataInit = 0;236#endif237 int recvResult;238 struct sockaddr_in service;239 SOCKET connectSocket = INVALID_SOCKET;240 char inputBuffer[CHAR_ARRAY_SIZE];241 do242 {243#ifdef _WIN32244 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)245 {246 break;247 }248 wsaDataInit = 1;249#endif250 /* POTENTIAL FLAW: Read data using a connect socket */251 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);252 if (connectSocket == INVALID_SOCKET)253 {254 break;255 }256 memset(&service, 0, sizeof(service));257 service.sin_family = AF_INET;258 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);259 service.sin_port = htons(TCP_PORT);260 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)261 {262 break;263 }264 /* Abort on error or the connection was closed, make sure to recv one265 * less char than is in the recv_buf in order to append a terminator */266 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);267 if (recvResult == SOCKET_ERROR || recvResult == 0)268 {269 break;270 }271 /* NUL-terminate the string */272 inputBuffer[recvResult] = '\0';273 /* Convert to int */274 data = atoi(inputBuffer);275 }276 while (0);277 if (connectSocket != INVALID_SOCKET)278 {279 CLOSE_SOCKET(connectSocket);280 }281#ifdef _WIN32282 if (wsaDataInit)283 {284 WSACleanup();285 }286#endif287 }288 }289 if(globalReturnsTrueOrFalse())290 {291 {292 int i;293 int buffer[10] = { 0 };294 /* FIX: Properly validate the array index and prevent a buffer underwrite */295 if (data >= 0 && data < (10))296 {297 buffer[data] = 1;298 /* Print the array values */299 for(i = 0; i < 10; i++)300 {301 printIntLine(buffer[i]);302 }303 }304 else305 {306 printLine("ERROR: Array index is out-of-bounds");307 }308 }309 }310 else311 {312 {313 int i;314 int buffer[10] = { 0 };315 /* FIX: Properly validate the array index and prevent a buffer underwrite */316 if (data >= 0 && data < (10))317 {318 buffer[data] = 1;319 /* Print the array values */320 for(i = 0; i < 10; i++)321 {322 printIntLine(buffer[i]);323 }324 }325 else326 {327 printLine("ERROR: Array index is out-of-bounds");328 }329 }330 }331}332333/* goodG2B() - use goodsource and badsink by changing the first "if" so that334 both branches use the GoodSource and the second "if" so that both branches335 use the BadSink */336static void goodG2B()337{338 int data;339 /* Initialize data */340 data = -1;341 if(globalReturnsTrueOrFalse())342 {343 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to344 * access an index of the array in the sink that is out-of-bounds */345 data = 7;346 }347 else348 {349 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to350 * access an index of the array in the sink that is out-of-bounds */351 data = 7;352 }353 if(globalReturnsTrueOrFalse())354 {355 {356 int i;357 int buffer[10] = { 0 };358 /* POTENTIAL FLAW: Attempt to access a negative index of the array359 * This code does not check to see if the array index is negative */360 if (data < 10)361 {362 buffer[data] = 1;363 /* Print the array values */364 for(i = 0; i < 10; i++)365 {366 printIntLine(buffer[i]);367 }368 }369 else370 {371 printLine("ERROR: Array index is negative.");372 }373 }374 }375 else376 {377 {378 int i;379 int buffer[10] = { 0 };380 /* POTENTIAL FLAW: Attempt to access a negative index of the array381 * This code does not check to see if the array index is negative */382 if (data < 10)383 {384 buffer[data] = 1;385 /* Print the array values */386 for(i = 0; i < 10; i++)387 {388 printIntLine(buffer[i]);389 }390 }391 else392 {393 printLine("ERROR: Array index is negative.");394 }395 }396 }397}398399void CWE124_Buffer_Underwrite__CWE839_connect_socket_12_good()400{401 goodB2G();402 goodG2B();403}404405#endif /* OMITGOOD */406407/* Below is the main(). It is only used when building this testcase on408 its own for testing or for building a binary to use in testing binary409 analysis tools. It is not used when compiling all the testcases as one410 application, which is how source code analysis tools are tested. */411412#ifdef INCLUDEMAIN413414int main(int argc, char * argv[])415{416 /* seed randomness */417 srand( (unsigned)time(NULL) );418#ifndef OMITGOOD419 printLine("Calling good()...");420 CWE124_Buffer_Underwrite__CWE839_connect_socket_12_good();421 printLine("Finished good()");422#endif /* OMITGOOD */423#ifndef OMITBAD424 printLine("Calling bad()...");425 CWE124_Buffer_Underwrite__CWE839_connect_socket_12_bad();426 printLine("Finished bad()");427#endif /* OMITBAD */428 return 0;429}430431#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__new_char_memmove_11.cpp3Label Definition File: CWE127_Buffer_Underread__new.label.xml4Template File: sources-sink-11.tmpl.cpp5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE127_Buffer_Underread__new_char_memmove_1122{2324#ifndef OMITBAD2526void bad()27{✓ 28 char * data;✓ 29 data = NULL;✓ 30 if(globalReturnsTrue())31 {32 {✓ 33 char * dataBuffer = new char[100];✓ 34 memset(dataBuffer, 'A', 100-1);✓ 35 dataBuffer[100-1] = '\0';36 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 37 data = dataBuffer - 8;38 }39 }40 {✓ 41 char dest[100];✓ 42 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 43 dest[100-1] = '\0'; /* null terminate */44 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 45 memmove(dest, data, 100*sizeof(char));❗VULN46 /* Ensure null termination */✓ 47 dest[100-1] = '\0';✓ 48 printLine(dest);49 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location50 * returned by new [] so can't safely call delete [] on it */51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */59static void goodG2B1()60{61 char * data;62 data = NULL;63 if(globalReturnsFalse())64 {65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */66 printLine("Benign, fixed string");67 }68 else69 {70 {71 char * dataBuffer = new char[100];72 memset(dataBuffer, 'A', 100-1);73 dataBuffer[100-1] = '\0';74 /* FIX: Set data pointer to the allocated memory buffer */75 data = dataBuffer;76 }77 }78 {79 char dest[100];80 memset(dest, 'C', 100-1); /* fill with 'C's */81 dest[100-1] = '\0'; /* null terminate */82 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */83 memmove(dest, data, 100*sizeof(char));84 /* Ensure null termination */85 dest[100-1] = '\0';86 printLine(dest);87 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location88 * returned by new [] so can't safely call delete [] on it */89 }90}9192/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */93static void goodG2B2()94{95 char * data;96 data = NULL;97 if(globalReturnsTrue())98 {99 {100 char * dataBuffer = new char[100];101 memset(dataBuffer, 'A', 100-1);102 dataBuffer[100-1] = '\0';103 /* FIX: Set data pointer to the allocated memory buffer */104 data = dataBuffer;105 }106 }107 {108 char dest[100];109 memset(dest, 'C', 100-1); /* fill with 'C's */110 dest[100-1] = '\0'; /* null terminate */111 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */112 memmove(dest, data, 100*sizeof(char));113 /* Ensure null termination */114 dest[100-1] = '\0';115 printLine(dest);116 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location117 * returned by new [] so can't safely call delete [] on it */118 }119}120121void good()122{123 goodG2B1();124 goodG2B2();125}126127#endif /* OMITGOOD */128129} /* close namespace */130131/* Below is the main(). It is only used when building this testcase on132 its own for testing or for building a binary to use in testing binary133 analysis tools. It is not used when compiling all the testcases as one134 application, which is how source code analysis tools are tested. */135136#ifdef INCLUDEMAIN137138using namespace CWE127_Buffer_Underread__new_char_memmove_11; /* so that we can use good and bad easily */139140int main(int argc, char * argv[])141{142 /* seed randomness */143 srand( (unsigned)time(NULL) );144#ifndef OMITGOOD145 printLine("Calling good()...");146 good();147 printLine("Finished good()");148#endif /* OMITGOOD */149#ifndef OMITBAD150 printLine("Calling bad()...");151 bad();152 printLine("Finished bad()");153#endif /* OMITBAD */154 return 0;155}156157#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 19 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_char_loop_07.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is not declared "const", but is never assigned22 * any other value so a tool should be able to identify that reads of23 * this will always give its initialized value.24 */25static int staticFive = 5;2627#ifndef OMITBAD2829void CWE127_Buffer_Underread__malloc_char_loop_07_bad()30{✓ 31 char * data;✓ 32 data = NULL;✓ 33 if(staticFive==5)34 {35 {✓ 36 char * dataBuffer = (char *)malloc(100*sizeof(char));✓ 37 if (dataBuffer == NULL) {exit(-1);}✓ 38 memset(dataBuffer, 'A', 100-1);✓ 39 dataBuffer[100-1] = '\0';40 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 41 data = dataBuffer - 8;42 }43 }44 {✓ 45 size_t i;✓ 46 char dest[100];✓ 47 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 48 dest[100-1] = '\0'; /* null terminate */49 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 50 for (i = 0; i < 100; i++)51 {✓ 52 dest[i] = data[i];❗VULN53 }54 /* Ensure null termination */✓ 55 dest[100-1] = '\0';✓ 56 printLine(dest);57 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location58 * returned by malloc() so can't safely call free() on it */59 }60}6162#endif /* OMITBAD */6364#ifndef OMITGOOD6566/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */67static void goodG2B1()68{69 char * data;70 data = NULL;71 if(staticFive!=5)72 {73 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */74 printLine("Benign, fixed string");75 }76 else77 {78 {79 char * dataBuffer = (char *)malloc(100*sizeof(char));80 if (dataBuffer == NULL) {exit(-1);}81 memset(dataBuffer, 'A', 100-1);82 dataBuffer[100-1] = '\0';83 /* FIX: Set data pointer to the allocated memory buffer */84 data = dataBuffer;85 }86 }87 {88 size_t i;89 char dest[100];90 memset(dest, 'C', 100-1); /* fill with 'C's */91 dest[100-1] = '\0'; /* null terminate */92 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */93 for (i = 0; i < 100; i++)94 {95 dest[i] = data[i];96 }97 /* Ensure null termination */98 dest[100-1] = '\0';99 printLine(dest);100 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location101 * returned by malloc() so can't safely call free() on it */102 }103}104105/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */106static void goodG2B2()107{108 char * data;109 data = NULL;110 if(staticFive==5)111 {112 {113 char * dataBuffer = (char *)malloc(100*sizeof(char));114 if (dataBuffer == NULL) {exit(-1);}115 memset(dataBuffer, 'A', 100-1);116 dataBuffer[100-1] = '\0';117 /* FIX: Set data pointer to the allocated memory buffer */118 data = dataBuffer;119 }120 }121 {122 size_t i;123 char dest[100];124 memset(dest, 'C', 100-1); /* fill with 'C's */125 dest[100-1] = '\0'; /* null terminate */126 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */127 for (i = 0; i < 100; i++)128 {129 dest[i] = data[i];130 }131 /* Ensure null termination */132 dest[100-1] = '\0';133 printLine(dest);134 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location135 * returned by malloc() so can't safely call free() on it */136 }137}138139void CWE127_Buffer_Underread__malloc_char_loop_07_good()140{141 goodG2B1();142 goodG2B2();143}144145#endif /* OMITGOOD */146147/* Below is the main(). It is only used when building this testcase on148 * its own for testing or for building a binary to use in testing binary149 * analysis tools. It is not used when compiling all the testcases as one150 * application, which is how source code analysis tools are tested.151 */152153#ifdef INCLUDEMAIN154155int main(int argc, char * argv[])156{157 /* seed randomness */158 srand( (unsigned)time(NULL) );159#ifndef OMITGOOD160 printLine("Calling good()...");161 CWE127_Buffer_Underread__malloc_char_loop_07_good();162 printLine("Finished good()");163#endif /* OMITGOOD */164#ifndef OMITBAD165 printLine("Calling bad()...");166 CWE127_Buffer_Underread__malloc_char_loop_07_bad();167 printLine("Finished bad()");168#endif /* OMITBAD */169 return 0;170}171172#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 17 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__new_char_loop_01.cpp3Label Definition File: CWE126_Buffer_Overread__new.label.xml4Template File: sources-sink-01.tmpl.cpp5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Use a small buffer10 * GoodSource: Use a large buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 01 Baseline14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE126_Buffer_Overread__new_char_loop_0122{2324#ifndef OMITBAD2526void bad()27{✓ 28 char * data;✓ 29 data = NULL;30 /* FLAW: Use a small buffer */✓ 31 data = new char[50];✓ 32 memset(data, 'A', 50-1); /* fill with 'A's */✓ 33 data[50-1] = '\0'; /* null terminate */34 {✓ 35 size_t i, destLen;✓ 36 char dest[100];✓ 37 memset(dest, 'C', 100-1);✓ 38 dest[100-1] = '\0'; /* null terminate */✓ 39 destLen = strlen(dest);40 /* POTENTIAL FLAW: using length of the dest where data41 * could be smaller than dest causing buffer overread */✓ 42 for (i = 0; i < destLen; i++)43 {✓ 44 dest[i] = data[i];❗VULN45 }✓ 46 dest[100-1] = '\0';✓ 47 printLine(dest);✓ 48 delete [] data;49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B uses the GoodSource with the BadSink */57static void goodG2B()58{59 char * data;60 data = NULL;61 /* FIX: Use a large buffer */62 data = new char[100];63 memset(data, 'A', 100-1); /* fill with 'A's */64 data[100-1] = '\0'; /* null terminate */65 {66 size_t i, destLen;67 char dest[100];68 memset(dest, 'C', 100-1);69 dest[100-1] = '\0'; /* null terminate */70 destLen = strlen(dest);71 /* POTENTIAL FLAW: using length of the dest where data72 * could be smaller than dest causing buffer overread */73 for (i = 0; i < destLen; i++)74 {75 dest[i] = data[i];76 }77 dest[100-1] = '\0';78 printLine(dest);79 delete [] data;80 }81}8283void good()84{85 goodG2B();86}8788#endif /* OMITGOOD */8990} /* close namespace */9192/* Below is the main(). It is only used when building this testcase on93 its own for testing or for building a binary to use in testing binary94 analysis tools. It is not used when compiling all the testcases as one95 application, which is how source code analysis tools are tested. */9697#ifdef INCLUDEMAIN9899using namespace CWE126_Buffer_Overread__new_char_loop_01; /* so that we can use good and bad easily */100101int main(int argc, char * argv[])102{103 /* seed randomness */104 srand( (unsigned)time(NULL) );105#ifndef OMITGOOD106 printLine("Calling good()...");107 good();108 printLine("Finished good()");109#endif /* OMITGOOD */110#ifndef OMITBAD111 printLine("Calling bad()...");112 bad();113 printLine("Finished bad()");114#endif /* OMITBAD */115 return 0;116}117118#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_char_loop_42.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-42.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 42 Data flow: data returned from one function to another in the same source file14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223static char * badSource(char * data)24{25 {26 char * dataBuffer = (char *)malloc(100*sizeof(char));27 if (dataBuffer == NULL) {exit(-1);}28 memset(dataBuffer, 'A', 100-1);29 dataBuffer[100-1] = '\0';30 /* FLAW: Set data pointer to before the allocated memory buffer */31 data = dataBuffer - 8;32 }33 return data;34}3536void CWE127_Buffer_Underread__malloc_char_loop_42_bad()37{✓ 38 char * data;✓ 39 data = NULL;✓ 40 data = badSource(data);41 {✓ 42 size_t i;✓ 43 char dest[100];✓ 44 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 45 dest[100-1] = '\0'; /* null terminate */46 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 47 for (i = 0; i < 100; i++)48 {✓ 49 dest[i] = data[i];❗VULN50 }51 /* Ensure null termination */✓ 52 dest[100-1] = '\0';✓ 53 printLine(dest);54 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location55 * returned by malloc() so can't safely call free() on it */56 }57}5859#endif /* OMITBAD */6061#ifndef OMITGOOD6263static char * goodG2BSource(char * data)64{65 {66 char * dataBuffer = (char *)malloc(100*sizeof(char));67 if (dataBuffer == NULL) {exit(-1);}68 memset(dataBuffer, 'A', 100-1);69 dataBuffer[100-1] = '\0';70 /* FIX: Set data pointer to the allocated memory buffer */71 data = dataBuffer;72 }73 return data;74}7576/* goodG2B uses the GoodSource with the BadSink */77static void goodG2B()78{79 char * data;80 data = NULL;81 data = goodG2BSource(data);82 {83 size_t i;84 char dest[100];85 memset(dest, 'C', 100-1); /* fill with 'C's */86 dest[100-1] = '\0'; /* null terminate */87 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */88 for (i = 0; i < 100; i++)89 {90 dest[i] = data[i];91 }92 /* Ensure null termination */93 dest[100-1] = '\0';94 printLine(dest);95 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location96 * returned by malloc() so can't safely call free() on it */97 }98}99100void CWE127_Buffer_Underread__malloc_char_loop_42_good()101{102 goodG2B();103}104105#endif /* OMITGOOD */106107/* Below is the main(). It is only used when building this testcase on108 * its own for testing or for building a binary to use in testing binary109 * analysis tools. It is not used when compiling all the testcases as one110 * application, which is how source code analysis tools are tested.111 */112113#ifdef INCLUDEMAIN114115int main(int argc, char * argv[])116{117 /* seed randomness */118 srand( (unsigned)time(NULL) );119#ifndef OMITGOOD120 printLine("Calling good()...");121 CWE127_Buffer_Underread__malloc_char_loop_42_good();122 printLine("Finished good()");123#endif /* OMITGOOD */124#ifndef OMITBAD125 printLine("Calling bad()...");126 CWE127_Buffer_Underread__malloc_char_loop_42_bad();127 printLine("Finished bad()");128#endif /* OMITBAD */129 return 0;130}131132#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml4Template File: sources-sink-34.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sinks: ncpy12 * BadSink : Copy string to data using strncpy()13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526typedef union27{28 char * unionFirst;29 char * unionSecond;30} CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_unionType;3132#ifndef OMITBAD3334void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_bad()35{✓ 36 char * data;✓ 37 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_unionType myUnion;✓ 38 data = NULL;39 /* FLAW: Did not leave space for a null terminator */✓ 40 data = (char *)malloc(10*sizeof(char));✓ 41 if (data == NULL) {exit(-1);}✓ 42 myUnion.unionFirst = data;43 {✓ 44 char * data = myUnion.unionSecond;45 {✓ 46 char source[10+1] = SRC_STRING;47 /* Copy length + 1 to include NUL terminator from source */48 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 49 strncpy(data, source, strlen(source) + 1);❗VULN✓ 50 printLine(data);✓ 51 free(data);52 }53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B() uses the GoodSource with the BadSink */61static void goodG2B()62{63 char * data;64 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_unionType myUnion;65 data = NULL;66 /* FIX: Allocate space for a null terminator */67 data = (char *)malloc((10+1)*sizeof(char));68 if (data == NULL) {exit(-1);}69 myUnion.unionFirst = data;70 {71 char * data = myUnion.unionSecond;72 {73 char source[10+1] = SRC_STRING;74 /* Copy length + 1 to include NUL terminator from source */75 /* POTENTIAL FLAW: data may not have enough space to hold source */76 strncpy(data, source, strlen(source) + 1);77 printLine(data);78 free(data);79 }80 }81}8283void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_good()84{85 goodG2B();86}8788#endif /* OMITGOOD */8990/* Below is the main(). It is only used when building this testcase on91 * its own for testing or for building a binary to use in testing binary92 * analysis tools. It is not used when compiling all the testcases as one93 * application, which is how source code analysis tools are tested.94 */95#ifdef INCLUDEMAIN9697int main(int argc, char * argv[])98{99 /* seed randomness */100 srand( (unsigned)time(NULL) );101#ifndef OMITGOOD102 printLine("Calling good()...");103 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_good();104 printLine("Finished good()");105#endif /* OMITGOOD */106#ifndef OMITBAD107 printLine("Calling bad()...");108 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_bad();109 printLine("Finished bad()");110#endif /* OMITBAD */111 return 0;112}113114#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_ncat_03.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-03.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: ncat12 * BadSink : Copy data to string using strncat13 * Flow Variant: 03 Control flow: if(5==5) and if(5!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_ncat_03_bad()24{✓ 25 char * data;✓ 26 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));✓ 27 data = dataBuffer;✓ 28 if(5==5)29 {30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 31 memset(data, 'A', 100-1); /* fill with 'A's */✓ 32 data[100-1] = '\0'; /* null terminate */33 }34 {✓ 35 char dest[50] = "";36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/✓ 37 strncat(dest, data, strlen(data));❗VULN✓ 38 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 39 printLine(data);40 }41}4243#endif /* OMITBAD */4445#ifndef OMITGOOD4647/* goodG2B1() - use goodsource and badsink by changing the 5==5 to 5!=5 */48static void goodG2B1()49{50 char * data;51 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));52 data = dataBuffer;53 if(5!=5)54 {55 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */56 printLine("Benign, fixed string");57 }58 else59 {60 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */61 memset(data, 'A', 50-1); /* fill with 'A's */62 data[50-1] = '\0'; /* null terminate */63 }64 {65 char dest[50] = "";66 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/67 strncat(dest, data, strlen(data));68 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */69 printLine(data);70 }71}7273/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */74static void goodG2B2()75{76 char * data;77 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));78 data = dataBuffer;79 if(5==5)80 {81 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */82 memset(data, 'A', 50-1); /* fill with 'A's */83 data[50-1] = '\0'; /* null terminate */84 }85 {86 char dest[50] = "";87 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/88 strncat(dest, data, strlen(data));89 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */90 printLine(data);91 }92}9394void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_ncat_03_good()95{96 goodG2B1();97 goodG2B2();98}99100#endif /* OMITGOOD */101102/* Below is the main(). It is only used when building this testcase on103 * its own for testing or for building a binary to use in testing binary104 * analysis tools. It is not used when compiling all the testcases as one105 * application, which is how source code analysis tools are tested.106 */107108#ifdef INCLUDEMAIN109110int main(int argc, char * argv[])111{112 /* seed randomness */113 srand( (unsigned)time(NULL) );114#ifndef OMITGOOD115 printLine("Calling good()...");116 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_ncat_03_good();117 printLine("Finished good()");118#endif /* OMITGOOD */119#ifndef OMITBAD120 printLine("Calling bad()...");121 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_ncat_03_bad();122 printLine("Finished bad()");123#endif /* OMITBAD */124 return 0;125}126127#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_ncat_11.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-11.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: ncat12 * BadSink : Copy string to data using wcsncat13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_ncat_11_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));✓ 27 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 28 if(globalReturnsTrue())29 {30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination31 * buffer in various memory copying functions using a "large" source buffer. */✓ 32 data = dataBadBuffer;✓ 33 data[0] = L'\0'; /* null terminate */34 }35 {✓ 36 wchar_t source[100];✓ 37 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 38 source[100-1] = L'\0'; /* null terminate */39 /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */✓ 40 wcsncat(data, source, 100);❗VULN✓ 41 printWLine(data);42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */50static void goodG2B1()51{52 wchar_t * data;53 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));54 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));55 if(globalReturnsFalse())56 {57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */58 printLine("Benign, fixed string");59 }60 else61 {62 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */63 data = dataGoodBuffer;64 data[0] = L'\0'; /* null terminate */65 }66 {67 wchar_t source[100];68 wmemset(source, L'C', 100-1); /* fill with L'C's */69 source[100-1] = L'\0'; /* null terminate */70 /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */71 wcsncat(data, source, 100);72 printWLine(data);73 }74}7576/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */77static void goodG2B2()78{79 wchar_t * data;80 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));81 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));82 if(globalReturnsTrue())83 {84 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */85 data = dataGoodBuffer;86 data[0] = L'\0'; /* null terminate */87 }88 {89 wchar_t source[100];90 wmemset(source, L'C', 100-1); /* fill with L'C's */91 source[100-1] = L'\0'; /* null terminate */92 /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */93 wcsncat(data, source, 100);94 printWLine(data);95 }96}9798void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_ncat_11_good()99{100 goodG2B1();101 goodG2B2();102}103104#endif /* OMITGOOD */105106/* Below is the main(). It is only used when building this testcase on107 * its own for testing or for building a binary to use in testing binary108 * analysis tools. It is not used when compiling all the testcases as one109 * application, which is how source code analysis tools are tested.110 */111112#ifdef INCLUDEMAIN113114int main(int argc, char * argv[])115{116 /* seed randomness */117 srand( (unsigned)time(NULL) );118#ifndef OMITGOOD119 printLine("Calling good()...");120 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_ncat_11_good();121 printLine("Finished good()");122#endif /* OMITGOOD */123#ifndef OMITBAD124 printLine("Calling bad()...");125 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_ncat_11_bad();126 printLine("Finished bad()");127#endif /* OMITBAD */128 return 0;129}130131#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_06.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__src.label.xml4Template File: sources-sink-06.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: cat12 * BadSink : Copy data to string using strcat13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is declared "const", so a tool should be able22 * to identify that reads of this will always give its initialized value. */23static const int STATIC_CONST_FIVE = 5;2425#ifndef OMITBAD2627void CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_06_bad()28{✓ 29 char * data;✓ 30 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));✓ 31 data = dataBuffer;✓ 32 if(STATIC_CONST_FIVE==5)33 {34 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 35 memset(data, 'A', 100-1); /* fill with 'A's */✓ 36 data[100-1] = '\0'; /* null terminate */37 }38 {✓ 39 char dest[50] = "";40 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/✓ 41 strcat(dest, data);❗VULN✓ 42 printLine(data);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */51static void goodG2B1()52{53 char * data;54 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));55 data = dataBuffer;56 if(STATIC_CONST_FIVE!=5)57 {58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */59 printLine("Benign, fixed string");60 }61 else62 {63 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */64 memset(data, 'A', 50-1); /* fill with 'A's */65 data[50-1] = '\0'; /* null terminate */66 }67 {68 char dest[50] = "";69 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/70 strcat(dest, data);71 printLine(data);72 }73}7475/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */76static void goodG2B2()77{78 char * data;79 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));80 data = dataBuffer;81 if(STATIC_CONST_FIVE==5)82 {83 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */84 memset(data, 'A', 50-1); /* fill with 'A's */85 data[50-1] = '\0'; /* null terminate */86 }87 {88 char dest[50] = "";89 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/90 strcat(dest, data);91 printLine(data);92 }93}9495void CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_06_good()96{97 goodG2B1();98 goodG2B2();99}100101#endif /* OMITGOOD */102103/* Below is the main(). It is only used when building this testcase on104 * its own for testing or for building a binary to use in testing binary105 * analysis tools. It is not used when compiling all the testcases as one106 * application, which is how source code analysis tools are tested.107 */108109#ifdef INCLUDEMAIN110111int main(int argc, char * argv[])112{113 /* seed randomness */114 srand( (unsigned)time(NULL) );115#ifndef OMITGOOD116 printLine("Calling good()...");117 CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_06_good();118 printLine("Finished good()");119#endif /* OMITGOOD */120#ifndef OMITBAD121 printLine("Calling bad()...");122 CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_06_bad();123 printLine("Finished bad()");124#endif /* OMITBAD */125 return 0;126}127128#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22b.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml4Template File: sources-sinks-22b.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: fscanf Read data from the console using fscanf()10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.15 *16 * */1718#include "std_testcase.h"1920#ifndef OMITBAD2122/* The global variable below is used to drive control flow in the sink function */23extern int CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_badGlobal;24✓ 25void CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_badSink(int data)26{✓ 27 if(CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_badGlobal)28 {29 {✓ 30 int i;✓ 31 int buffer[10] = { 0 };32 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound33 * This code does check to see if the array index is negative */✓ 34 if (data >= 0)35 {✓ 36 buffer[data] = 1;❗VULN37 /* Print the array values */✓ 38 for(i = 0; i < 10; i++)39 {✓ 40 printIntLine(buffer[i]);41 }42 }43 else44 {✓ 45 printLine("ERROR: Array index is negative.");46 }47 }48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* The global variables below are used to drive control flow in the sink functions. */56extern int CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodB2G1Global;57extern int CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodB2G2Global;58extern int CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodG2BGlobal;5960/* goodB2G1() - use badsource and goodsink by setting the static variable to false instead of true */61void CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodB2G1Sink(int data)62{63 if(CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodB2G1Global)64 {65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */66 printLine("Benign, fixed string");67 }68 else69 {70 {71 int i;72 int buffer[10] = { 0 };73 /* FIX: Properly validate the array index and prevent a buffer overflow */74 if (data >= 0 && data < (10))75 {76 buffer[data] = 1;77 /* Print the array values */78 for(i = 0; i < 10; i++)79 {80 printIntLine(buffer[i]);81 }82 }83 else84 {85 printLine("ERROR: Array index is out-of-bounds");86 }87 }88 }89}9091/* goodB2G2() - use badsource and goodsink by reversing the blocks in the if in the sink function */92void CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodB2G2Sink(int data)93{94 if(CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodB2G2Global)95 {96 {97 int i;98 int buffer[10] = { 0 };99 /* FIX: Properly validate the array index and prevent a buffer overflow */100 if (data >= 0 && data < (10))101 {102 buffer[data] = 1;103 /* Print the array values */104 for(i = 0; i < 10; i++)105 {106 printIntLine(buffer[i]);107 }108 }109 else110 {111 printLine("ERROR: Array index is out-of-bounds");112 }113 }114 }115}116117/* goodG2B() - use goodsource and badsink */118void CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodG2BSink(int data)119{120 if(CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodG2BGlobal)121 {122 {123 int i;124 int buffer[10] = { 0 };125 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound126 * This code does check to see if the array index is negative */127 if (data >= 0)128 {129 buffer[data] = 1;130 /* Print the array values */131 for(i = 0; i < 10; i++)132 {133 printIntLine(buffer[i]);134 }135 }136 else137 {138 printLine("ERROR: Array index is negative.");139 }140 }141 }142}143144#endif /* OMITGOOD */
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_char_cpy_03.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-03.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: cpy12 * BadSink : Copy data to string using strcpy13 * Flow Variant: 03 Control flow: if(5==5) and if(5!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__malloc_char_cpy_03_bad()24{✓ 25 char * data;✓ 26 data = NULL;✓ 27 if(5==5)28 {29 {✓ 30 char * dataBuffer = (char *)malloc(100*sizeof(char));✓ 31 if (dataBuffer == NULL) {exit(-1);}✓ 32 memset(dataBuffer, 'A', 100-1);✓ 33 dataBuffer[100-1] = '\0';34 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 35 data = dataBuffer - 8;36 }37 }38 {✓ 39 char dest[100*2];✓ 40 memset(dest, 'C', 100*2-1); /* fill with 'C's */✓ 41 dest[100*2-1] = '\0'; /* null terminate */42 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 43 strcpy(dest, data);❗VULN✓ 44 printLine(dest);45 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location46 * returned by malloc() so can't safely call free() on it */47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B1() - use goodsource and badsink by changing the 5==5 to 5!=5 */55static void goodG2B1()56{57 char * data;58 data = NULL;59 if(5!=5)60 {61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */62 printLine("Benign, fixed string");63 }64 else65 {66 {67 char * dataBuffer = (char *)malloc(100*sizeof(char));68 if (dataBuffer == NULL) {exit(-1);}69 memset(dataBuffer, 'A', 100-1);70 dataBuffer[100-1] = '\0';71 /* FIX: Set data pointer to the allocated memory buffer */72 data = dataBuffer;73 }74 }75 {76 char dest[100*2];77 memset(dest, 'C', 100*2-1); /* fill with 'C's */78 dest[100*2-1] = '\0'; /* null terminate */79 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */80 strcpy(dest, data);81 printLine(dest);82 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location83 * returned by malloc() so can't safely call free() on it */84 }85}8687/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */88static void goodG2B2()89{90 char * data;91 data = NULL;92 if(5==5)93 {94 {95 char * dataBuffer = (char *)malloc(100*sizeof(char));96 if (dataBuffer == NULL) {exit(-1);}97 memset(dataBuffer, 'A', 100-1);98 dataBuffer[100-1] = '\0';99 /* FIX: Set data pointer to the allocated memory buffer */100 data = dataBuffer;101 }102 }103 {104 char dest[100*2];105 memset(dest, 'C', 100*2-1); /* fill with 'C's */106 dest[100*2-1] = '\0'; /* null terminate */107 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */108 strcpy(dest, data);109 printLine(dest);110 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location111 * returned by malloc() so can't safely call free() on it */112 }113}114115void CWE127_Buffer_Underread__malloc_char_cpy_03_good()116{117 goodG2B1();118 goodG2B2();119}120121#endif /* OMITGOOD */122123/* Below is the main(). It is only used when building this testcase on124 * its own for testing or for building a binary to use in testing binary125 * analysis tools. It is not used when compiling all the testcases as one126 * application, which is how source code analysis tools are tested.127 */128129#ifdef INCLUDEMAIN130131int main(int argc, char * argv[])132{133 /* seed randomness */134 srand( (unsigned)time(NULL) );135#ifndef OMITGOOD136 printLine("Calling good()...");137 CWE127_Buffer_Underread__malloc_char_cpy_03_good();138 printLine("Finished good()");139#endif /* OMITGOOD */140#ifndef OMITBAD141 printLine("Calling bad()...");142 CWE127_Buffer_Underread__malloc_char_cpy_03_bad();143 printLine("Finished bad()");144#endif /* OMITBAD */145 return 0;146}147148#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 8 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memcpy_09.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml4Template File: sources-sink-09.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy()13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memcpy_0927{2829#ifndef OMITBAD3031void bad()32{✓ 33 char * data;✓ 34 data = NULL;✓ 35 if(GLOBAL_CONST_TRUE)36 {37 /* FLAW: Did not leave space for a null terminator */✓ 38 data = new char[10];39 }40 {✓ 41 char source[10+1] = SRC_STRING;42 /* Copy length + 1 to include NUL terminator from source */43 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 44 memcpy(data, source, (strlen(source) + 1) * sizeof(char));❗VULN✓ 45 printLine(data);✓ 46 delete [] data;47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */55static void goodG2B1()56{57 char * data;58 data = NULL;59 if(GLOBAL_CONST_FALSE)60 {61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */62 printLine("Benign, fixed string");63 }64 else65 {66 /* FIX: Allocate space for a null terminator */67 data = new char[10+1];68 }69 {70 char source[10+1] = SRC_STRING;71 /* Copy length + 1 to include NUL terminator from source */72 /* POTENTIAL FLAW: data may not have enough space to hold source */73 memcpy(data, source, (strlen(source) + 1) * sizeof(char));74 printLine(data);75 delete [] data;76 }77}7879/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */80static void goodG2B2()81{82 char * data;83 data = NULL;84 if(GLOBAL_CONST_TRUE)85 {86 /* FIX: Allocate space for a null terminator */87 data = new char[10+1];88 }89 {90 char source[10+1] = SRC_STRING;91 /* Copy length + 1 to include NUL terminator from source */92 /* POTENTIAL FLAW: data may not have enough space to hold source */93 memcpy(data, source, (strlen(source) + 1) * sizeof(char));94 printLine(data);95 delete [] data;96 }97}9899void good()100{101 goodG2B1();102 goodG2B2();103}104105#endif /* OMITGOOD */106107} /* close namespace */108109/* Below is the main(). It is only used when building this testcase on110 its own for testing or for building a binary to use in testing binary111 analysis tools. It is not used when compiling all the testcases as one112 application, which is how source code analysis tools are tested. */113114#ifdef INCLUDEMAIN115116using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memcpy_09; /* so that we can use good and bad easily */117118int main(int argc, char * argv[])119{120 /* seed randomness */121 srand( (unsigned)time(NULL) );122#ifndef OMITGOOD123 printLine("Calling good()...");124 good();125 printLine("Finished good()");126#endif /* OMITGOOD */127#ifndef OMITBAD128 printLine("Calling bad()...");129 bad();130 printLine("Finished bad()");131#endif /* OMITBAD */132 return 0;133}134135#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_13.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml4Template File: sources-sink-13.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sink: loop12 * BadSink : Copy array to data using a loop13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_1327{2829#ifndef OMITBAD3031void bad()32{✓ 33 char * data;✓ 34 data = NULL;✓ 35 if(GLOBAL_CONST_FIVE==5)36 {37 /* FLAW: Did not leave space for a null terminator */✓ 38 data = new char[10];39 }40 {✓ 41 char source[10+1] = SRC_STRING;✓ 42 size_t i, sourceLen;✓ 43 sourceLen = strlen(source);44 /* Copy length + 1 to include NUL terminator from source */45 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 46 for (i = 0; i < sourceLen + 1; i++)47 {✓ 48 data[i] = source[i];❗VULN49 }✓ 50 printLine(data);✓ 51 delete [] data;52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */60static void goodG2B1()61{62 char * data;63 data = NULL;64 if(GLOBAL_CONST_FIVE!=5)65 {66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */67 printLine("Benign, fixed string");68 }69 else70 {71 /* FIX: Allocate space for a null terminator */72 data = new char[10+1];73 }74 {75 char source[10+1] = SRC_STRING;76 size_t i, sourceLen;77 sourceLen = strlen(source);78 /* Copy length + 1 to include NUL terminator from source */79 /* POTENTIAL FLAW: data may not have enough space to hold source */80 for (i = 0; i < sourceLen + 1; i++)81 {82 data[i] = source[i];83 }84 printLine(data);85 delete [] data;86 }87}8889/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */90static void goodG2B2()91{92 char * data;93 data = NULL;94 if(GLOBAL_CONST_FIVE==5)95 {96 /* FIX: Allocate space for a null terminator */97 data = new char[10+1];98 }99 {100 char source[10+1] = SRC_STRING;101 size_t i, sourceLen;102 sourceLen = strlen(source);103 /* Copy length + 1 to include NUL terminator from source */104 /* POTENTIAL FLAW: data may not have enough space to hold source */105 for (i = 0; i < sourceLen + 1; i++)106 {107 data[i] = source[i];108 }109 printLine(data);110 delete [] data;111 }112}113114void good()115{116 goodG2B1();117 goodG2B2();118}119120#endif /* OMITGOOD */121122} /* close namespace */123124/* Below is the main(). It is only used when building this testcase on125 its own for testing or for building a binary to use in testing binary126 analysis tools. It is not used when compiling all the testcases as one127 application, which is how source code analysis tools are tested. */128129#ifdef INCLUDEMAIN130131using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_13; /* so that we can use good and bad easily */132133int main(int argc, char * argv[])134{135 /* seed randomness */136 srand( (unsigned)time(NULL) );137#ifndef OMITGOOD138 printLine("Calling good()...");139 good();140 printLine("Finished good()");141#endif /* OMITGOOD */142#ifndef OMITBAD143 printLine("Calling bad()...");144 bad();145 printLine("Finished bad()");146#endif /* OMITBAD */147 return 0;148}149150#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 24 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__CWE839_rand_15.c3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml4Template File: sources-sinks-15.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: rand Set data to result of rand(), which may be zero10 * GoodSource: Non-negative but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the lower bound14 * Flow Variant: 15 Control flow: switch(6) and switch(7)15 *16 * */1718#include "std_testcase.h"1920#ifndef OMITBAD2122void CWE124_Buffer_Underwrite__CWE839_rand_15_bad()23{✓ 24 int data;25 /* Initialize data */✓ 26 data = -1;✓ 27 switch(6)28 {✓ 29 case 6:30 /* POTENTIAL FLAW: Set data to a random value */✓ 31 data = RAND32();✓ 32 break;✓ 33 default:34 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 35 printLine("Benign, fixed string");✓ 36 break;37 }✓ 38 switch(7)39 {✓ 40 case 7:41 {✓ 42 int i;✓ 43 int buffer[10] = { 0 };44 /* POTENTIAL FLAW: Attempt to access a negative index of the array45 * This code does not check to see if the array index is negative */✓ 46 if (data < 10)47 {✓ 48 buffer[data] = 1;❗VULN49 /* Print the array values */✓ 50 for(i = 0; i < 10; i++)51 {✓ 52 printIntLine(buffer[i]);53 }54 }55 else56 {✓ 57 printLine("ERROR: Array index is negative.");58 }59 }✓ 60 break;✓ 61 default:62 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 63 printLine("Benign, fixed string");✓ 64 break;65 }66}6768#endif /* OMITBAD */6970#ifndef OMITGOOD7172/* goodB2G1() - use badsource and goodsink by changing the second switch to switch(8) */73static void goodB2G1()74{75 int data;76 /* Initialize data */77 data = -1;78 switch(6)79 {80 case 6:81 /* POTENTIAL FLAW: Set data to a random value */82 data = RAND32();83 break;84 default:85 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */86 printLine("Benign, fixed string");87 break;88 }89 switch(8)90 {91 case 7:92 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */93 printLine("Benign, fixed string");94 break;95 default:96 {97 int i;98 int buffer[10] = { 0 };99 /* FIX: Properly validate the array index and prevent a buffer underwrite */100 if (data >= 0 && data < (10))101 {102 buffer[data] = 1;103 /* Print the array values */104 for(i = 0; i < 10; i++)105 {106 printIntLine(buffer[i]);107 }108 }109 else110 {111 printLine("ERROR: Array index is out-of-bounds");112 }113 }114 break;115 }116}117118/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch */119static void goodB2G2()120{121 int data;122 /* Initialize data */123 data = -1;124 switch(6)125 {126 case 6:127 /* POTENTIAL FLAW: Set data to a random value */128 data = RAND32();129 break;130 default:131 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */132 printLine("Benign, fixed string");133 break;134 }135 switch(7)136 {137 case 7:138 {139 int i;140 int buffer[10] = { 0 };141 /* FIX: Properly validate the array index and prevent a buffer underwrite */142 if (data >= 0 && data < (10))143 {144 buffer[data] = 1;145 /* Print the array values */146 for(i = 0; i < 10; i++)147 {148 printIntLine(buffer[i]);149 }150 }151 else152 {153 printLine("ERROR: Array index is out-of-bounds");154 }155 }156 break;157 default:158 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */159 printLine("Benign, fixed string");160 break;161 }162}163164/* goodG2B1() - use goodsource and badsink by changing the first switch to switch(5) */165static void goodG2B1()166{167 int data;168 /* Initialize data */169 data = -1;170 switch(5)171 {172 case 6:173 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */174 printLine("Benign, fixed string");175 break;176 default:177 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to178 * access an index of the array in the sink that is out-of-bounds */179 data = 7;180 break;181 }182 switch(7)183 {184 case 7:185 {186 int i;187 int buffer[10] = { 0 };188 /* POTENTIAL FLAW: Attempt to access a negative index of the array189 * This code does not check to see if the array index is negative */190 if (data < 10)191 {192 buffer[data] = 1;193 /* Print the array values */194 for(i = 0; i < 10; i++)195 {196 printIntLine(buffer[i]);197 }198 }199 else200 {201 printLine("ERROR: Array index is negative.");202 }203 }204 break;205 default:206 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */207 printLine("Benign, fixed string");208 break;209 }210}211212/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first switch */213static void goodG2B2()214{215 int data;216 /* Initialize data */217 data = -1;218 switch(6)219 {220 case 6:221 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to222 * access an index of the array in the sink that is out-of-bounds */223 data = 7;224 break;225 default:226 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */227 printLine("Benign, fixed string");228 break;229 }230 switch(7)231 {232 case 7:233 {234 int i;235 int buffer[10] = { 0 };236 /* POTENTIAL FLAW: Attempt to access a negative index of the array237 * This code does not check to see if the array index is negative */238 if (data < 10)239 {240 buffer[data] = 1;241 /* Print the array values */242 for(i = 0; i < 10; i++)243 {244 printIntLine(buffer[i]);245 }246 }247 else248 {249 printLine("ERROR: Array index is negative.");250 }251 }252 break;253 default:254 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */255 printLine("Benign, fixed string");256 break;257 }258}259260void CWE124_Buffer_Underwrite__CWE839_rand_15_good()261{262 goodB2G1();263 goodB2G2();264 goodG2B1();265 goodG2B2();266}267268#endif /* OMITGOOD */269270/* Below is the main(). It is only used when building this testcase on271 its own for testing or for building a binary to use in testing binary272 analysis tools. It is not used when compiling all the testcases as one273 application, which is how source code analysis tools are tested. */274275#ifdef INCLUDEMAIN276277int main(int argc, char * argv[])278{279 /* seed randomness */280 srand( (unsigned)time(NULL) );281#ifndef OMITGOOD282 printLine("Calling good()...");283 CWE124_Buffer_Underwrite__CWE839_rand_15_good();284 printLine("Finished good()");285#endif /* OMITGOOD */286#ifndef OMITBAD287 printLine("Calling bad()...");288 CWE124_Buffer_Underwrite__CWE839_rand_15_bad();289 printLine("Finished bad()");290#endif /* OMITBAD */291 return 0;292}293294#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__char_declare_memmove_33.cpp3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml4Template File: sources-sink-33.tmpl.cpp5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sinks: memmove12 * BadSink : Copy string to data using memmove13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE124_Buffer_Underwrite__char_declare_memmove_3322{2324#ifndef OMITBAD2526void bad()27{✓ 28 char * data;✓ 29 char * &dataRef = data;✓ 30 char dataBuffer[100];✓ 31 memset(dataBuffer, 'A', 100-1);✓ 32 dataBuffer[100-1] = '\0';33 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 34 data = dataBuffer - 8;35 {✓ 36 char * data = dataRef;37 {✓ 38 char source[100];✓ 39 memset(source, 'C', 100-1); /* fill with 'C's */✓ 40 source[100-1] = '\0'; /* null terminate */41 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 42 memmove(data, source, 100*sizeof(char));❗VULN43 /* Ensure the destination buffer is null terminated */✓ 44 data[100-1] = '\0';✓ 45 printLine(data);46 }47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B() uses the GoodSource with the BadSink */55static void goodG2B()56{57 char * data;58 char * &dataRef = data;59 char dataBuffer[100];60 memset(dataBuffer, 'A', 100-1);61 dataBuffer[100-1] = '\0';62 /* FIX: Set data pointer to the allocated memory buffer */63 data = dataBuffer;64 {65 char * data = dataRef;66 {67 char source[100];68 memset(source, 'C', 100-1); /* fill with 'C's */69 source[100-1] = '\0'; /* null terminate */70 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */71 memmove(data, source, 100*sizeof(char));72 /* Ensure the destination buffer is null terminated */73 data[100-1] = '\0';74 printLine(data);75 }76 }77}7879void good()80{81 goodG2B();82}8384#endif /* OMITGOOD */8586} /* close namespace */8788/* Below is the main(). It is only used when building this testcase on89 * its own for testing or for building a binary to use in testing binary90 * analysis tools. It is not used when compiling all the testcases as one91 * application, which is how source code analysis tools are tested.92 */93#ifdef INCLUDEMAIN9495using namespace CWE124_Buffer_Underwrite__char_declare_memmove_33; /* so that we can use good and bad easily */9697int main(int argc, char * argv[])98{99 /* seed randomness */100 srand( (unsigned)time(NULL) );101#ifndef OMITGOOD102 printLine("Calling good()...");103 good();104 printLine("Finished good()");105#endif /* OMITGOOD */106#ifndef OMITBAD107 printLine("Calling bad()...");108 bad();109 printLine("Finished bad()");110#endif /* OMITBAD */111 return 0;112}113114#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncpy_07.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: ncpy12 * BadSink : Copy data to string using wcsncpy13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is not declared "const", but is never assigned22 * any other value so a tool should be able to identify that reads of23 * this will always give its initialized value.24 */25static int staticFive = 5;2627#ifndef OMITBAD2829void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncpy_07_bad()30{✓ 31 wchar_t * data;✓ 32 data = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 33 if (data == NULL) {exit(-1);}✓ 34 if(staticFive==5)35 {36 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 37 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 38 data[100-1] = L'\0'; /* null terminate */39 }40 {✓ 41 wchar_t dest[50] = L"";42 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 43 wcsncpy(dest, data, wcslen(data));❗VULN✓ 44 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 45 printWLine(data);✓ 46 free(data);47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */55static void goodG2B1()56{57 wchar_t * data;58 data = (wchar_t *)malloc(100*sizeof(wchar_t));59 if (data == NULL) {exit(-1);}60 if(staticFive!=5)61 {62 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */63 printLine("Benign, fixed string");64 }65 else66 {67 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */68 wmemset(data, L'A', 50-1); /* fill with L'A's */69 data[50-1] = L'\0'; /* null terminate */70 }71 {72 wchar_t dest[50] = L"";73 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */74 wcsncpy(dest, data, wcslen(data));75 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */76 printWLine(data);77 free(data);78 }79}8081/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */82static void goodG2B2()83{84 wchar_t * data;85 data = (wchar_t *)malloc(100*sizeof(wchar_t));86 if (data == NULL) {exit(-1);}87 if(staticFive==5)88 {89 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */90 wmemset(data, L'A', 50-1); /* fill with L'A's */91 data[50-1] = L'\0'; /* null terminate */92 }93 {94 wchar_t dest[50] = L"";95 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */96 wcsncpy(dest, data, wcslen(data));97 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */98 printWLine(data);99 free(data);100 }101}102103void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncpy_07_good()104{105 goodG2B1();106 goodG2B2();107}108109#endif /* OMITGOOD */110111/* Below is the main(). It is only used when building this testcase on112 * its own for testing or for building a binary to use in testing binary113 * analysis tools. It is not used when compiling all the testcases as one114 * application, which is how source code analysis tools are tested.115 */116117#ifdef INCLUDEMAIN118119int main(int argc, char * argv[])120{121 /* seed randomness */122 srand( (unsigned)time(NULL) );123#ifndef OMITGOOD124 printLine("Calling good()...");125 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncpy_07_good();126 printLine("Finished good()");127#endif /* OMITGOOD */128#ifndef OMITBAD129 printLine("Calling bad()...");130 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncpy_07_bad();131 printLine("Finished bad()");132#endif /* OMITBAD */133 return 0;134}135136#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 6 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__char_alloca_cpy_45.c3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml4Template File: sources-sink-45.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sinks: cpy12 * BadSink : Copy string to data using strcpy13 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021static char * CWE124_Buffer_Underwrite__char_alloca_cpy_45_badData;22static char * CWE124_Buffer_Underwrite__char_alloca_cpy_45_goodG2BData;2324#ifndef OMITBAD2526static void badSink()27{✓ 28 char * data = CWE124_Buffer_Underwrite__char_alloca_cpy_45_badData;29 {✓ 30 char source[100];✓ 31 memset(source, 'C', 100-1); /* fill with 'C's */✓ 32 source[100-1] = '\0'; /* null terminate */33 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 34 strcpy(data, source);❗VULN✓ 35 printLine(data);36 }37}3839void CWE124_Buffer_Underwrite__char_alloca_cpy_45_bad()40{41 char * data;42 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));43 memset(dataBuffer, 'A', 100-1);44 dataBuffer[100-1] = '\0';45 /* FLAW: Set data pointer to before the allocated memory buffer */46 data = dataBuffer - 8;47 CWE124_Buffer_Underwrite__char_alloca_cpy_45_badData = data;48 badSink();49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B() uses the GoodSource with the BadSink */56static void goodG2BSink()57{58 char * data = CWE124_Buffer_Underwrite__char_alloca_cpy_45_goodG2BData;59 {60 char source[100];61 memset(source, 'C', 100-1); /* fill with 'C's */62 source[100-1] = '\0'; /* null terminate */63 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */64 strcpy(data, source);65 printLine(data);66 }67}6869static void goodG2B()70{71 char * data;72 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));73 memset(dataBuffer, 'A', 100-1);74 dataBuffer[100-1] = '\0';75 /* FIX: Set data pointer to the allocated memory buffer */76 data = dataBuffer;77 CWE124_Buffer_Underwrite__char_alloca_cpy_45_goodG2BData = data;78 goodG2BSink();79}8081void CWE124_Buffer_Underwrite__char_alloca_cpy_45_good()82{83 goodG2B();84}8586#endif /* OMITGOOD */8788/* Below is the main(). It is only used when building this testcase on89 * its own for testing or for building a binary to use in testing binary90 * analysis tools. It is not used when compiling all the testcases as one91 * application, which is how source code analysis tools are tested.92 */93#ifdef INCLUDEMAIN9495int main(int argc, char * argv[])96{97 /* seed randomness */98 srand( (unsigned)time(NULL) );99#ifndef OMITGOOD100 printLine("Calling good()...");101 CWE124_Buffer_Underwrite__char_alloca_cpy_45_good();102 printLine("Finished good()");103#endif /* OMITGOOD */104#ifndef OMITBAD105 printLine("Calling bad()...");106 CWE124_Buffer_Underwrite__char_alloca_cpy_45_bad();107 printLine("Finished bad()");108#endif /* OMITBAD */109 return 0;110}111112#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_loop_18.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-18.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_loop_18_bad()24{✓ 25 char * data;✓ 26 char dataBuffer[100];✓ 27 data = dataBuffer;✓ 28 goto source;✓ 29source:30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 31 memset(data, 'A', 100-1); /* fill with 'A's */✓ 32 data[100-1] = '\0'; /* null terminate */33 {✓ 34 char dest[50] = "";✓ 35 size_t i, dataLen;✓ 36 dataLen = strlen(data);37 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 38 for (i = 0; i < dataLen; i++)39 {✓ 40 dest[i] = data[i];❗VULN41 }✓ 42 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 43 printLine(data);44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */52static void goodG2B()53{54 char * data;55 char dataBuffer[100];56 data = dataBuffer;57 goto source;58source:59 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */60 memset(data, 'A', 50-1); /* fill with 'A's */61 data[50-1] = '\0'; /* null terminate */62 {63 char dest[50] = "";64 size_t i, dataLen;65 dataLen = strlen(data);66 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */67 for (i = 0; i < dataLen; i++)68 {69 dest[i] = data[i];70 }71 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */72 printLine(data);73 }74}7576void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_loop_18_good()77{78 goodG2B();79}8081#endif /* OMITGOOD */8283/* Below is the main(). It is only used when building this testcase on84 * its own for testing or for building a binary to use in testing binary85 * analysis tools. It is not used when compiling all the testcases as one86 * application, which is how source code analysis tools are tested.87 */8889#ifdef INCLUDEMAIN9091int main(int argc, char * argv[])92{93 /* seed randomness */94 srand( (unsigned)time(NULL) );95#ifndef OMITGOOD96 printLine("Calling good()...");97 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_loop_18_good();98 printLine("Finished good()");99#endif /* OMITGOOD */100#ifndef OMITBAD101 printLine("Calling bad()...");102 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_loop_18_bad();103 printLine("Finished bad()");104#endif /* OMITBAD */105 return 0;106}107108#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_13.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml4Template File: sources-sink-13.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: memmove12 * BadSink : Copy twoIntsStruct array to data using memmove13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_13_bad()22{✓ 23 twoIntsStruct * data;✓ 24 data = NULL;✓ 25 if(GLOBAL_CONST_FIVE==5)26 {27 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 28 data = (twoIntsStruct *)malloc(50*sizeof(twoIntsStruct));✓ 29 if (data == NULL) {exit(-1);}30 }31 {✓ 32 twoIntsStruct source[100];33 {✓ 34 size_t i;35 /* Initialize array */✓ 36 for (i = 0; i < 100; i++)37 {✓ 38 source[i].intOne = 0;✓ 39 source[i].intTwo = 0;40 }41 }42 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 43 memmove(data, source, 100*sizeof(twoIntsStruct));❗VULN✓ 44 printStructLine(&data[0]);✓ 45 free(data);46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */54static void goodG2B1()55{56 twoIntsStruct * data;57 data = NULL;58 if(GLOBAL_CONST_FIVE!=5)59 {60 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */61 printLine("Benign, fixed string");62 }63 else64 {65 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */66 data = (twoIntsStruct *)malloc(100*sizeof(twoIntsStruct));67 if (data == NULL) {exit(-1);}68 }69 {70 twoIntsStruct source[100];71 {72 size_t i;73 /* Initialize array */74 for (i = 0; i < 100; i++)75 {76 source[i].intOne = 0;77 source[i].intTwo = 0;78 }79 }80 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */81 memmove(data, source, 100*sizeof(twoIntsStruct));82 printStructLine(&data[0]);83 free(data);84 }85}8687/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */88static void goodG2B2()89{90 twoIntsStruct * data;91 data = NULL;92 if(GLOBAL_CONST_FIVE==5)93 {94 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */95 data = (twoIntsStruct *)malloc(100*sizeof(twoIntsStruct));96 if (data == NULL) {exit(-1);}97 }98 {99 twoIntsStruct source[100];100 {101 size_t i;102 /* Initialize array */103 for (i = 0; i < 100; i++)104 {105 source[i].intOne = 0;106 source[i].intTwo = 0;107 }108 }109 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */110 memmove(data, source, 100*sizeof(twoIntsStruct));111 printStructLine(&data[0]);112 free(data);113 }114}115116void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_13_good()117{118 goodG2B1();119 goodG2B2();120}121122#endif /* OMITGOOD */123124/* Below is the main(). It is only used when building this testcase on125 * its own for testing or for building a binary to use in testing binary126 * analysis tools. It is not used when compiling all the testcases as one127 * application, which is how source code analysis tools are tested.128 */129130#ifdef INCLUDEMAIN131132int main(int argc, char * argv[])133{134 /* seed randomness */135 srand( (unsigned)time(NULL) );136#ifndef OMITGOOD137 printLine("Calling good()...");138 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_13_good();139 printLine("Finished good()");140#endif /* OMITGOOD */141#ifndef OMITBAD142 printLine("Calling bad()...");143 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_13_bad();144 printLine("Finished bad()");145#endif /* OMITBAD */146 return 0;147}148149#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__wchar_t_alloca_memmove_33.cpp3Label Definition File: CWE126_Buffer_Overread.stack.label.xml4Template File: sources-sink-33.tmpl.cpp5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Set data pointer to a small buffer10 * GoodSource: Set data pointer to a large buffer11 * Sinks: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE126_Buffer_Overread__wchar_t_alloca_memmove_3322{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 wchar_t * &dataRef = data;✓ 30 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));✓ 31 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 32 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */✓ 33 dataBadBuffer[50-1] = L'\0'; /* null terminate */✓ 34 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */✓ 35 dataGoodBuffer[100-1] = L'\0'; /* null terminate */36 /* FLAW: Set data pointer to a small buffer */✓ 37 data = dataBadBuffer;38 {✓ 39 wchar_t * data = dataRef;40 {✓ 41 wchar_t dest[100];✓ 42 wmemset(dest, L'C', 100-1);✓ 43 dest[100-1] = L'\0'; /* null terminate */44 /* POTENTIAL FLAW: using memmove with the length of the dest where data45 * could be smaller than dest causing buffer overread */✓ 46 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN✓ 47 dest[100-1] = L'\0';✓ 48 printWLine(dest);49 }50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B() uses the GoodSource with the BadSink */58static void goodG2B()59{60 wchar_t * data;61 wchar_t * &dataRef = data;62 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));63 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));64 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */65 dataBadBuffer[50-1] = L'\0'; /* null terminate */66 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */67 dataGoodBuffer[100-1] = L'\0'; /* null terminate */68 /* FIX: Set data pointer to a large buffer */69 data = dataGoodBuffer;70 {71 wchar_t * data = dataRef;72 {73 wchar_t dest[100];74 wmemset(dest, L'C', 100-1);75 dest[100-1] = L'\0'; /* null terminate */76 /* POTENTIAL FLAW: using memmove with the length of the dest where data77 * could be smaller than dest causing buffer overread */78 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));79 dest[100-1] = L'\0';80 printWLine(dest);81 }82 }83}8485void good()86{87 goodG2B();88}8990#endif /* OMITGOOD */9192} /* close namespace */9394/* Below is the main(). It is only used when building this testcase on95 * its own for testing or for building a binary to use in testing binary96 * analysis tools. It is not used when compiling all the testcases as one97 * application, which is how source code analysis tools are tested.98 */99#ifdef INCLUDEMAIN100101using namespace CWE126_Buffer_Overread__wchar_t_alloca_memmove_33; /* so that we can use good and bad easily */102103int main(int argc, char * argv[])104{105 /* seed randomness */106 srand( (unsigned)time(NULL) );107#ifndef OMITGOOD108 printLine("Calling good()...");109 good();110 printLine("Finished good()");111#endif /* OMITGOOD */112#ifndef OMITBAD113 printLine("Calling bad()...");114 bad();115 printLine("Finished bad()");116#endif /* OMITBAD */117 return 0;118}119120#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cpy_07.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__src.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: cpy12 * BadSink : Copy data to string using strcpy13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is not declared "const", but is never assigned22 * any other value so a tool should be able to identify that reads of23 * this will always give its initialized value.24 */25static int staticFive = 5;2627#ifndef OMITBAD2829void CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cpy_07_bad()30{✓ 31 char * data;✓ 32 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));✓ 33 data = dataBuffer;✓ 34 if(staticFive==5)35 {36 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 37 memset(data, 'A', 100-1); /* fill with 'A's */✓ 38 data[100-1] = '\0'; /* null terminate */39 }40 {✓ 41 char dest[50] = "";42 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 43 strcpy(dest, data);❗VULN✓ 44 printLine(data);45 }46}4748#endif /* OMITBAD */4950#ifndef OMITGOOD5152/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */53static void goodG2B1()54{55 char * data;56 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));57 data = dataBuffer;58 if(staticFive!=5)59 {60 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */61 printLine("Benign, fixed string");62 }63 else64 {65 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */66 memset(data, 'A', 50-1); /* fill with 'A's */67 data[50-1] = '\0'; /* null terminate */68 }69 {70 char dest[50] = "";71 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */72 strcpy(dest, data);73 printLine(data);74 }75}7677/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */78static void goodG2B2()79{80 char * data;81 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));82 data = dataBuffer;83 if(staticFive==5)84 {85 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */86 memset(data, 'A', 50-1); /* fill with 'A's */87 data[50-1] = '\0'; /* null terminate */88 }89 {90 char dest[50] = "";91 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */92 strcpy(dest, data);93 printLine(data);94 }95}9697void CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cpy_07_good()98{99 goodG2B1();100 goodG2B2();101}102103#endif /* OMITGOOD */104105/* Below is the main(). It is only used when building this testcase on106 * its own for testing or for building a binary to use in testing binary107 * analysis tools. It is not used when compiling all the testcases as one108 * application, which is how source code analysis tools are tested.109 */110111#ifdef INCLUDEMAIN112113int main(int argc, char * argv[])114{115 /* seed randomness */116 srand( (unsigned)time(NULL) );117#ifndef OMITGOOD118 printLine("Calling good()...");119 CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cpy_07_good();120 printLine("Finished good()");121#endif /* OMITGOOD */122#ifndef OMITBAD123 printLine("Calling bad()...");124 CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cpy_07_bad();125 printLine("Finished bad()");126#endif /* OMITBAD */127 return 0;128}129130#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22a.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml4Template File: sources-sink-22a.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: cat12 * BadSink : Copy string to data using strcat13 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223/* The global variable below is used to drive control flow in the source function */24int CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_badGlobal = 0;2526char * CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_badSource(char * data);2728void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_bad()29{✓ 30 char * data;✓ 31 data = NULL;✓ 32 CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_badGlobal = 1; /* true */✓ 33 data = CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_badSource(data);34 {✓ 35 char source[100];✓ 36 memset(source, 'C', 100-1); /* fill with 'C's */✓ 37 source[100-1] = '\0'; /* null terminate */38 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */✓ 39 strcat(data, source);❗VULN✓ 40 printLine(data);✓ 41 free(data);42 }43}4445#endif /* OMITBAD */4647#ifndef OMITGOOD4849/* The global variables below are used to drive control flow in the source functions. */50int CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B1Global = 0;51int CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B2Global = 0;5253/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */54char * CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B1Source(char * data);5556static void goodG2B1()57{58 char * data;59 data = NULL;60 CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B1Global = 0; /* false */61 data = CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B1Source(data);62 {63 char source[100];64 memset(source, 'C', 100-1); /* fill with 'C's */65 source[100-1] = '\0'; /* null terminate */66 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */67 strcat(data, source);68 printLine(data);69 free(data);70 }71}7273/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */74char * CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B2Source(char * data);7576static void goodG2B2()77{78 char * data;79 data = NULL;80 CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B2Global = 1; /* true */81 data = CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B2Source(data);82 {83 char source[100];84 memset(source, 'C', 100-1); /* fill with 'C's */85 source[100-1] = '\0'; /* null terminate */86 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */87 strcat(data, source);88 printLine(data);89 free(data);90 }91}9293void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_good()94{95 goodG2B1();96 goodG2B2();97}9899#endif /* OMITGOOD */100101/* Below is the main(). It is only used when building this testcase on102 * its own for testing or for building a binary to use in testing binary103 * analysis tools. It is not used when compiling all the testcases as one104 * application, which is how source code analysis tools are tested.105 */106107#ifdef INCLUDEMAIN108109int main(int argc, char * argv[])110{111 /* seed randomness */112 srand( (unsigned)time(NULL) );113#ifndef OMITGOOD114 printLine("Calling good()...");115 CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_good();116 printLine("Finished good()");117#endif /* OMITGOOD */118#ifndef OMITBAD119 printLine("Calling bad()...");120 CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_bad();121 printLine("Finished bad()");122#endif /* OMITBAD */123 return 0;124}125126#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_04.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml4Template File: sources-sink-04.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: swprintf12 * BadSink : Copy data to string using swprintf13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snwprintf23#else24#define SNPRINTF swprintf25#endif2627/* The two variables below are declared "const", so a tool should28 * be able to identify that reads of these will always return their29 * initialized values.30 */31static const int STATIC_CONST_TRUE = 1; /* true */32static const int STATIC_CONST_FALSE = 0; /* false */3334#ifndef OMITBAD3536void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_04_bad()37{✓ 38 wchar_t * data;✓ 39 data = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 40 if (data == NULL) {exit(-1);}✓ 41 if(STATIC_CONST_TRUE)42 {43 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 44 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 45 data[100-1] = L'\0'; /* null terminate */46 }47 {✓ 48 wchar_t dest[50] = L"";49 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 50 SNPRINTF(dest, wcslen(data), L"%s", data);❗VULN✓ 51 printWLine(data);✓ 52 free(data);53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */61static void goodG2B1()62{63 wchar_t * data;64 data = (wchar_t *)malloc(100*sizeof(wchar_t));65 if (data == NULL) {exit(-1);}66 if(STATIC_CONST_FALSE)67 {68 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */69 printLine("Benign, fixed string");70 }71 else72 {73 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */74 wmemset(data, L'A', 50-1); /* fill with L'A's */75 data[50-1] = L'\0'; /* null terminate */76 }77 {78 wchar_t dest[50] = L"";79 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */80 SNPRINTF(dest, wcslen(data), L"%s", data);81 printWLine(data);82 free(data);83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 wchar_t * data;90 data = (wchar_t *)malloc(100*sizeof(wchar_t));91 if (data == NULL) {exit(-1);}92 if(STATIC_CONST_TRUE)93 {94 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */95 wmemset(data, L'A', 50-1); /* fill with L'A's */96 data[50-1] = L'\0'; /* null terminate */97 }98 {99 wchar_t dest[50] = L"";100 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */101 SNPRINTF(dest, wcslen(data), L"%s", data);102 printWLine(data);103 free(data);104 }105}106107void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_04_good()108{109 goodG2B1();110 goodG2B2();111}112113#endif /* OMITGOOD */114115/* Below is the main(). It is only used when building this testcase on116 * its own for testing or for building a binary to use in testing binary117 * analysis tools. It is not used when compiling all the testcases as one118 * application, which is how source code analysis tools are tested.119 */120121#ifdef INCLUDEMAIN122123int main(int argc, char * argv[])124{125 /* seed randomness */126 srand( (unsigned)time(NULL) );127#ifndef OMITGOOD128 printLine("Calling good()...");129 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_04_good();130 printLine("Finished good()");131#endif /* OMITGOOD */132#ifndef OMITBAD133 printLine("Calling bad()...");134 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_04_bad();135 printLine("Finished bad()");136#endif /* OMITBAD */137 return 0;138}139140#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_07.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: memmove12 * BadSink : Copy int array to data using memmove13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819/* The variable below is not declared "const", but is never assigned20 * any other value so a tool should be able to identify that reads of21 * this will always give its initialized value.22 */23static int staticFive = 5;2425#ifndef OMITBAD2627void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_07_bad()28{✓ 29 int * data;✓ 30 data = NULL;✓ 31 if(staticFive==5)32 {33 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 34 data = (int *)malloc(50*sizeof(int));✓ 35 if (data == NULL) {exit(-1);}36 }37 {✓ 38 int source[100] = {0}; /* fill with 0's */39 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 40 memmove(data, source, 100*sizeof(int));❗VULN✓ 41 printIntLine(data[0]);✓ 42 free(data);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */51static void goodG2B1()52{53 int * data;54 data = NULL;55 if(staticFive!=5)56 {57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */58 printLine("Benign, fixed string");59 }60 else61 {62 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */63 data = (int *)malloc(100*sizeof(int));64 if (data == NULL) {exit(-1);}65 }66 {67 int source[100] = {0}; /* fill with 0's */68 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */69 memmove(data, source, 100*sizeof(int));70 printIntLine(data[0]);71 free(data);72 }73}7475/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */76static void goodG2B2()77{78 int * data;79 data = NULL;80 if(staticFive==5)81 {82 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */83 data = (int *)malloc(100*sizeof(int));84 if (data == NULL) {exit(-1);}85 }86 {87 int source[100] = {0}; /* fill with 0's */88 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */89 memmove(data, source, 100*sizeof(int));90 printIntLine(data[0]);91 free(data);92 }93}9495void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_07_good()96{97 goodG2B1();98 goodG2B2();99}100101#endif /* OMITGOOD */102103/* Below is the main(). It is only used when building this testcase on104 * its own for testing or for building a binary to use in testing binary105 * analysis tools. It is not used when compiling all the testcases as one106 * application, which is how source code analysis tools are tested.107 */108109#ifdef INCLUDEMAIN110111int main(int argc, char * argv[])112{113 /* seed randomness */114 srand( (unsigned)time(NULL) );115#ifndef OMITGOOD116 printLine("Calling good()...");117 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_07_good();118 printLine("Finished good()");119#endif /* OMITGOOD */120#ifndef OMITBAD121 printLine("Calling bad()...");122 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_07_bad();123 printLine("Finished bad()");124#endif /* OMITBAD */125 return 0;126}127128#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 21 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__wchar_t_declare_loop_16.c3Label Definition File: CWE126_Buffer_Overread.stack.label.xml4Template File: sources-sink-16.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Set data pointer to a small buffer10 * GoodSource: Set data pointer to a large buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 16 Control flow: while(1)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE126_Buffer_Overread__wchar_t_declare_loop_16_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t dataBadBuffer[50];✓ 27 wchar_t dataGoodBuffer[100];✓ 28 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */✓ 29 dataBadBuffer[50-1] = L'\0'; /* null terminate */✓ 30 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */✓ 31 dataGoodBuffer[100-1] = L'\0'; /* null terminate */✓ 32 while(1)33 {34 /* FLAW: Set data pointer to a small buffer */✓ 35 data = dataBadBuffer;✓ 36 break;37 }38 {✓ 39 size_t i, destLen;✓ 40 wchar_t dest[100];✓ 41 wmemset(dest, L'C', 100-1);✓ 42 dest[100-1] = L'\0'; /* null terminate */✓ 43 destLen = wcslen(dest);44 /* POTENTIAL FLAW: using length of the dest where data45 * could be smaller than dest causing buffer overread */✓ 46 for (i = 0; i < destLen; i++)47 {✓ 48 dest[i] = data[i];❗VULN49 }✓ 50 dest[100-1] = L'\0';✓ 51 printWLine(dest);52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */60static void goodG2B()61{62 wchar_t * data;63 wchar_t dataBadBuffer[50];64 wchar_t dataGoodBuffer[100];65 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */66 dataBadBuffer[50-1] = L'\0'; /* null terminate */67 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */68 dataGoodBuffer[100-1] = L'\0'; /* null terminate */69 while(1)70 {71 /* FIX: Set data pointer to a large buffer */72 data = dataGoodBuffer;73 break;74 }75 {76 size_t i, destLen;77 wchar_t dest[100];78 wmemset(dest, L'C', 100-1);79 dest[100-1] = L'\0'; /* null terminate */80 destLen = wcslen(dest);81 /* POTENTIAL FLAW: using length of the dest where data82 * could be smaller than dest causing buffer overread */83 for (i = 0; i < destLen; i++)84 {85 dest[i] = data[i];86 }87 dest[100-1] = L'\0';88 printWLine(dest);89 }90}9192void CWE126_Buffer_Overread__wchar_t_declare_loop_16_good()93{94 goodG2B();95}9697#endif /* OMITGOOD */9899/* Below is the main(). It is only used when building this testcase on100 * its own for testing or for building a binary to use in testing binary101 * analysis tools. It is not used when compiling all the testcases as one102 * application, which is how source code analysis tools are tested.103 */104105#ifdef INCLUDEMAIN106107int main(int argc, char * argv[])108{109 /* seed randomness */110 srand( (unsigned)time(NULL) );111#ifndef OMITGOOD112 printLine("Calling good()...");113 CWE126_Buffer_Overread__wchar_t_declare_loop_16_good();114 printLine("Finished good()");115#endif /* OMITGOOD */116#ifndef OMITBAD117 printLine("Calling bad()...");118 CWE126_Buffer_Overread__wchar_t_declare_loop_16_bad();119 printLine("Finished bad()");120#endif /* OMITBAD */121 return 0;122}123124#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 7 predicted, 2 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__sizeof_double_11.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__sizeof.label.xml4Template File: sources-sink-11.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize the source buffer using the size of a pointer10 * GoodSource: Initialize the source buffer using the size of the DataElementType11 * Sink:12 * BadSink : Print then free data13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE122_Heap_Based_Buffer_Overflow__sizeof_double_11_bad()22{✓ 23 double * data;24 /* Initialize data */✓ 25 data = NULL;✗ 26 if(globalReturnsTrue())27 {28 /* INCIDENTAL: CWE-467 (Use of sizeof() on a pointer type) */29 /* FLAW: Using sizeof the pointer and not the data type in malloc() */✗ 30 data = (double *)malloc(sizeof(data));✗ 31 if (data == NULL) {exit(-1);}✓ 32 *data = 1.7E300;❗VULN33 }34 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */✓ 35 printDoubleLine(*data);❗VULN✗ 36 free(data);37}3839#endif /* OMITBAD */4041#ifndef OMITGOOD4243/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */44static void goodG2B1()45{46 double * data;47 /* Initialize data */48 data = NULL;49 if(globalReturnsFalse())50 {51 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */52 printLine("Benign, fixed string");53 }54 else55 {56 /* FIX: Using sizeof the data type in malloc() */57 data = (double *)malloc(sizeof(*data));58 if (data == NULL) {exit(-1);}59 *data = 1.7E300;60 }61 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */62 printDoubleLine(*data);63 free(data);64}6566/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */67static void goodG2B2()68{69 double * data;70 /* Initialize data */71 data = NULL;72 if(globalReturnsTrue())73 {74 /* FIX: Using sizeof the data type in malloc() */75 data = (double *)malloc(sizeof(*data));76 if (data == NULL) {exit(-1);}77 *data = 1.7E300;78 }79 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */80 printDoubleLine(*data);81 free(data);82}8384void CWE122_Heap_Based_Buffer_Overflow__sizeof_double_11_good()85{86 goodG2B1();87 goodG2B2();88}8990#endif /* OMITGOOD */9192/* Below is the main(). It is only used when building this testcase on93 * its own for testing or for building a binary to use in testing binary94 * analysis tools. It is not used when compiling all the testcases as one95 * application, which is how source code analysis tools are tested.96 */9798#ifdef INCLUDEMAIN99100int main(int argc, char * argv[])101{102 /* seed randomness */103 srand( (unsigned)time(NULL) );104#ifndef OMITGOOD105 printLine("Calling good()...");106 CWE122_Heap_Based_Buffer_Overflow__sizeof_double_11_good();107 printLine("Finished good()");108#endif /* OMITGOOD */109#ifndef OMITBAD110 printLine("Calling bad()...");111 CWE122_Heap_Based_Buffer_Overflow__sizeof_double_11_bad();112 printLine("Finished bad()");113#endif /* OMITBAD */114 return 0;115}116117#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_class_memcpy_34.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.label.xml4Template File: sources-sink-34.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sinks: memcpy12 * BadSink : Copy TwoIntsClass array to data using memcpy13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)14 *15 * */1617#include "std_testcase.h"1819namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_class_memcpy_3420{2122typedef union23{24 TwoIntsClass * unionFirst;25 TwoIntsClass * unionSecond;26} unionType;2728#ifndef OMITBAD2930void bad()31{✓ 32 TwoIntsClass * data;✓ 33 unionType myUnion;✓ 34 data = NULL;35 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 36 data = new TwoIntsClass[50];✓ 37 myUnion.unionFirst = data;38 {✓ 39 TwoIntsClass * data = myUnion.unionSecond;40 {✓ 41 TwoIntsClass source[100];42 {✓ 43 size_t i;44 /* Initialize array */✓ 45 for (i = 0; i < 100; i++)46 {✓ 47 source[i].intOne = 0;✓ 48 source[i].intTwo = 0;49 }50 }51 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 52 memcpy(data, source, 100*sizeof(TwoIntsClass));❗VULN✓ 53 printIntLine(data[0].intOne);✓ 54 delete [] data;55 }56 }57}5859#endif /* OMITBAD */6061#ifndef OMITGOOD6263/* goodG2B() uses the GoodSource with the BadSink */64static void goodG2B()65{66 TwoIntsClass * data;67 unionType myUnion;68 data = NULL;69 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */70 data = new TwoIntsClass[100];71 myUnion.unionFirst = data;72 {73 TwoIntsClass * data = myUnion.unionSecond;74 {75 TwoIntsClass source[100];76 {77 size_t i;78 /* Initialize array */79 for (i = 0; i < 100; i++)80 {81 source[i].intOne = 0;82 source[i].intTwo = 0;83 }84 }85 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */86 memcpy(data, source, 100*sizeof(TwoIntsClass));87 printIntLine(data[0].intOne);88 delete [] data;89 }90 }91}9293void good()94{95 goodG2B();96}9798#endif /* OMITGOOD */99100} /* close namespace */101102/* Below is the main(). It is only used when building this testcase on103 its own for testing or for building a binary to use in testing binary104 analysis tools. It is not used when compiling all the testcases as one105 application, which is how source code analysis tools are tested. */106#ifdef INCLUDEMAIN107108using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_class_memcpy_34; /* so that we can use good and bad easily */109110int main(int argc, char * argv[])111{112 /* seed randomness */113 srand( (unsigned)time(NULL) );114#ifndef OMITGOOD115 printLine("Calling good()...");116 good();117 printLine("Finished good()");118#endif /* OMITGOOD */119#ifndef OMITBAD120 printLine("Calling bad()...");121 bad();122 printLine("Finished bad()");123#endif /* OMITBAD */124 return 0;125}126127#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__new_char_memcpy_14.cpp3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml4Template File: sources-sink-14.tmpl.cpp5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE124_Buffer_Underwrite__new_char_memcpy_1422{2324#ifndef OMITBAD2526void bad()27{✓ 28 char * data;✓ 29 data = NULL;✓ 30 if(globalFive==5)31 {32 {✓ 33 char * dataBuffer = new char[100];✓ 34 memset(dataBuffer, 'A', 100-1);✓ 35 dataBuffer[100-1] = '\0';36 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 37 data = dataBuffer - 8;38 }39 }40 {✓ 41 char source[100];✓ 42 memset(source, 'C', 100-1); /* fill with 'C's */✓ 43 source[100-1] = '\0'; /* null terminate */44 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 45 memcpy(data, source, 100*sizeof(char));❗VULN46 /* Ensure the destination buffer is null terminated */✓ 47 data[100-1] = '\0';✓ 48 printLine(data);49 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location50 * returned by new [] so can't safely call delete [] on it */51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */59static void goodG2B1()60{61 char * data;62 data = NULL;63 if(globalFive!=5)64 {65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */66 printLine("Benign, fixed string");67 }68 else69 {70 {71 char * dataBuffer = new char[100];72 memset(dataBuffer, 'A', 100-1);73 dataBuffer[100-1] = '\0';74 /* FIX: Set data pointer to the allocated memory buffer */75 data = dataBuffer;76 }77 }78 {79 char source[100];80 memset(source, 'C', 100-1); /* fill with 'C's */81 source[100-1] = '\0'; /* null terminate */82 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */83 memcpy(data, source, 100*sizeof(char));84 /* Ensure the destination buffer is null terminated */85 data[100-1] = '\0';86 printLine(data);87 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location88 * returned by new [] so can't safely call delete [] on it */89 }90}9192/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */93static void goodG2B2()94{95 char * data;96 data = NULL;97 if(globalFive==5)98 {99 {100 char * dataBuffer = new char[100];101 memset(dataBuffer, 'A', 100-1);102 dataBuffer[100-1] = '\0';103 /* FIX: Set data pointer to the allocated memory buffer */104 data = dataBuffer;105 }106 }107 {108 char source[100];109 memset(source, 'C', 100-1); /* fill with 'C's */110 source[100-1] = '\0'; /* null terminate */111 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */112 memcpy(data, source, 100*sizeof(char));113 /* Ensure the destination buffer is null terminated */114 data[100-1] = '\0';115 printLine(data);116 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location117 * returned by new [] so can't safely call delete [] on it */118 }119}120121void good()122{123 goodG2B1();124 goodG2B2();125}126127#endif /* OMITGOOD */128129} /* close namespace */130131/* Below is the main(). It is only used when building this testcase on132 its own for testing or for building a binary to use in testing binary133 analysis tools. It is not used when compiling all the testcases as one134 application, which is how source code analysis tools are tested. */135136#ifdef INCLUDEMAIN137138using namespace CWE124_Buffer_Underwrite__new_char_memcpy_14; /* so that we can use good and bad easily */139140int main(int argc, char * argv[])141{142 /* seed randomness */143 srand( (unsigned)time(NULL) );144#ifndef OMITGOOD145 printLine("Calling good()...");146 good();147 printLine("Finished good()");148#endif /* OMITGOOD */149#ifndef OMITBAD150 printLine("Calling bad()...");151 bad();152 printLine("Finished bad()");153#endif /* OMITBAD */154 return 0;155}156157#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_07.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml4Template File: sources-sink-07.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: ncpy12 * BadSink : Copy data to string using strncpy13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is not declared "const", but is never assigned22 any other value so a tool should be able to identify that reads of23 this will always give its initialized value. */24static int staticFive = 5;2526namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_0727{2829#ifndef OMITBAD3031void bad()32{✓ 33 char * data;✓ 34 data = new char[100];✓ 35 if(staticFive==5)36 {37 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 38 memset(data, 'A', 100-1); /* fill with 'A's */✓ 39 data[100-1] = '\0'; /* null terminate */40 }41 {✓ 42 char dest[50] = "";43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 44 strncpy(dest, data, strlen(data));❗VULN✓ 45 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 46 printLine(data);✓ 47 delete [] data;48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */56static void goodG2B1()57{58 char * data;59 data = new char[100];60 if(staticFive!=5)61 {62 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */63 printLine("Benign, fixed string");64 }65 else66 {67 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */68 memset(data, 'A', 50-1); /* fill with 'A's */69 data[50-1] = '\0'; /* null terminate */70 }71 {72 char dest[50] = "";73 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */74 strncpy(dest, data, strlen(data));75 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */76 printLine(data);77 delete [] data;78 }79}8081/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */82static void goodG2B2()83{84 char * data;85 data = new char[100];86 if(staticFive==5)87 {88 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */89 memset(data, 'A', 50-1); /* fill with 'A's */90 data[50-1] = '\0'; /* null terminate */91 }92 {93 char dest[50] = "";94 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */95 strncpy(dest, data, strlen(data));96 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */97 printLine(data);98 delete [] data;99 }100}101102void good()103{104 goodG2B1();105 goodG2B2();106}107108#endif /* OMITGOOD */109110} /* close namespace */111112/* Below is the main(). It is only used when building this testcase on113 its own for testing or for building a binary to use in testing binary114 analysis tools. It is not used when compiling all the testcases as one115 application, which is how source code analysis tools are tested. */116117#ifdef INCLUDEMAIN118119using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_07; /* so that we can use good and bad easily */120121int main(int argc, char * argv[])122{123 /* seed randomness */124 srand( (unsigned)time(NULL) );125#ifndef OMITGOOD126 printLine("Calling good()...");127 good();128 printLine("Finished good()");129#endif /* OMITGOOD */130#ifndef OMITBAD131 printLine("Calling bad()...");132 bad();133 printLine("Finished bad()");134#endif /* OMITBAD */135 return 0;136}137138#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__CWE839_connect_socket_45.c3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml4Template File: sources-sinks-45.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: connect_socket Read data using a connect socket (client side)10 * GoodSource: Non-negative but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the lower bound14 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file15 *16 * */1718#include "std_testcase.h"1920#ifdef _WIN3221#include <winsock2.h>22#include <windows.h>23#include <direct.h>24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */25#define CLOSE_SOCKET closesocket26#else /* NOT _WIN32 */27#include <sys/types.h>28#include <sys/socket.h>29#include <netinet/in.h>30#include <arpa/inet.h>31#include <unistd.h>32#define INVALID_SOCKET -133#define SOCKET_ERROR -134#define CLOSE_SOCKET close35#define SOCKET int36#endif3738#define TCP_PORT 2701539#define IP_ADDRESS "127.0.0.1"40#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)4142static int CWE124_Buffer_Underwrite__CWE839_connect_socket_45_badData;43static int CWE124_Buffer_Underwrite__CWE839_connect_socket_45_goodG2BData;44static int CWE124_Buffer_Underwrite__CWE839_connect_socket_45_goodB2GData;4546#ifndef OMITBAD4748static void badSink()49{✓ 50 int data = CWE124_Buffer_Underwrite__CWE839_connect_socket_45_badData;51 {✓ 52 int i;✓ 53 int buffer[10] = { 0 };54 /* POTENTIAL FLAW: Attempt to access a negative index of the array55 * This code does not check to see if the array index is negative */✓ 56 if (data < 10)57 {✓ 58 buffer[data] = 1;❗VULN59 /* Print the array values */✓ 60 for(i = 0; i < 10; i++)61 {✓ 62 printIntLine(buffer[i]);63 }64 }65 else66 {✓ 67 printLine("ERROR: Array index is negative.");68 }69 }70}7172void CWE124_Buffer_Underwrite__CWE839_connect_socket_45_bad()73{74 int data;75 /* Initialize data */76 data = -1;77 {78#ifdef _WIN3279 WSADATA wsaData;80 int wsaDataInit = 0;81#endif82 int recvResult;83 struct sockaddr_in service;84 SOCKET connectSocket = INVALID_SOCKET;85 char inputBuffer[CHAR_ARRAY_SIZE];86 do87 {88#ifdef _WIN3289 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)90 {91 break;92 }93 wsaDataInit = 1;94#endif95 /* POTENTIAL FLAW: Read data using a connect socket */96 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);97 if (connectSocket == INVALID_SOCKET)98 {99 break;100 }101 memset(&service, 0, sizeof(service));102 service.sin_family = AF_INET;103 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);104 service.sin_port = htons(TCP_PORT);105 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)106 {107 break;108 }109 /* Abort on error or the connection was closed, make sure to recv one110 * less char than is in the recv_buf in order to append a terminator */111 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);112 if (recvResult == SOCKET_ERROR || recvResult == 0)113 {114 break;115 }116 /* NUL-terminate the string */117 inputBuffer[recvResult] = '\0';118 /* Convert to int */119 data = atoi(inputBuffer);120 }121 while (0);122 if (connectSocket != INVALID_SOCKET)123 {124 CLOSE_SOCKET(connectSocket);125 }126#ifdef _WIN32127 if (wsaDataInit)128 {129 WSACleanup();130 }131#endif132 }133 CWE124_Buffer_Underwrite__CWE839_connect_socket_45_badData = data;134 badSink();135}136137#endif /* OMITBAD */138139#ifndef OMITGOOD140141/* goodG2B() uses the GoodSource with the BadSink */142static void goodG2BSink()143{144 int data = CWE124_Buffer_Underwrite__CWE839_connect_socket_45_goodG2BData;145 {146 int i;147 int buffer[10] = { 0 };148 /* POTENTIAL FLAW: Attempt to access a negative index of the array149 * This code does not check to see if the array index is negative */150 if (data < 10)151 {152 buffer[data] = 1;153 /* Print the array values */154 for(i = 0; i < 10; i++)155 {156 printIntLine(buffer[i]);157 }158 }159 else160 {161 printLine("ERROR: Array index is negative.");162 }163 }164}165166static void goodG2B()167{168 int data;169 /* Initialize data */170 data = -1;171 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to172 * access an index of the array in the sink that is out-of-bounds */173 data = 7;174 CWE124_Buffer_Underwrite__CWE839_connect_socket_45_goodG2BData = data;175 goodG2BSink();176}177178/* goodB2G() uses the BadSource with the GoodSink */179static void goodB2GSink()180{181 int data = CWE124_Buffer_Underwrite__CWE839_connect_socket_45_goodB2GData;182 {183 int i;184 int buffer[10] = { 0 };185 /* FIX: Properly validate the array index and prevent a buffer underwrite */186 if (data >= 0 && data < (10))187 {188 buffer[data] = 1;189 /* Print the array values */190 for(i = 0; i < 10; i++)191 {192 printIntLine(buffer[i]);193 }194 }195 else196 {197 printLine("ERROR: Array index is out-of-bounds");198 }199 }200}201202static void goodB2G()203{204 int data;205 /* Initialize data */206 data = -1;207 {208#ifdef _WIN32209 WSADATA wsaData;210 int wsaDataInit = 0;211#endif212 int recvResult;213 struct sockaddr_in service;214 SOCKET connectSocket = INVALID_SOCKET;215 char inputBuffer[CHAR_ARRAY_SIZE];216 do217 {218#ifdef _WIN32219 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)220 {221 break;222 }223 wsaDataInit = 1;224#endif225 /* POTENTIAL FLAW: Read data using a connect socket */226 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);227 if (connectSocket == INVALID_SOCKET)228 {229 break;230 }231 memset(&service, 0, sizeof(service));232 service.sin_family = AF_INET;233 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);234 service.sin_port = htons(TCP_PORT);235 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)236 {237 break;238 }239 /* Abort on error or the connection was closed, make sure to recv one240 * less char than is in the recv_buf in order to append a terminator */241 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);242 if (recvResult == SOCKET_ERROR || recvResult == 0)243 {244 break;245 }246 /* NUL-terminate the string */247 inputBuffer[recvResult] = '\0';248 /* Convert to int */249 data = atoi(inputBuffer);250 }251 while (0);252 if (connectSocket != INVALID_SOCKET)253 {254 CLOSE_SOCKET(connectSocket);255 }256#ifdef _WIN32257 if (wsaDataInit)258 {259 WSACleanup();260 }261#endif262 }263 CWE124_Buffer_Underwrite__CWE839_connect_socket_45_goodB2GData = data;264 goodB2GSink();265}266267void CWE124_Buffer_Underwrite__CWE839_connect_socket_45_good()268{269 goodG2B();270 goodB2G();271}272273#endif /* OMITGOOD */274275/* Below is the main(). It is only used when building this testcase on276 its own for testing or for building a binary to use in testing binary277 analysis tools. It is not used when compiling all the testcases as one278 application, which is how source code analysis tools are tested. */279#ifdef INCLUDEMAIN280281int main(int argc, char * argv[])282{283 /* seed randomness */284 srand( (unsigned)time(NULL) );285#ifndef OMITGOOD286 printLine("Calling good()...");287 CWE124_Buffer_Underwrite__CWE839_connect_socket_45_good();288 printLine("Finished good()");289#endif /* OMITGOOD */290#ifndef OMITBAD291 printLine("Calling bad()...");292 CWE124_Buffer_Underwrite__CWE839_connect_socket_45_bad();293 printLine("Finished bad()");294#endif /* OMITBAD */295 return 0;296}297298#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_03.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml4Template File: sources-sink-03.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 03 Control flow: if(5==5) and if(5!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_03_bad()24{✓ 25 char * data;✓ 26 data = (char *)malloc(100*sizeof(char));✓ 27 if (data == NULL) {exit(-1);}✓ 28 if(5==5)29 {30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 31 memset(data, 'A', 100-1); /* fill with 'A's */✓ 32 data[100-1] = '\0'; /* null terminate */33 }34 {✓ 35 char dest[50] = "";36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 37 memcpy(dest, data, strlen(data)*sizeof(char));❗VULN✓ 38 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 39 printLine(data);✓ 40 free(data);41 }42}4344#endif /* OMITBAD */4546#ifndef OMITGOOD4748/* goodG2B1() - use goodsource and badsink by changing the 5==5 to 5!=5 */49static void goodG2B1()50{51 char * data;52 data = (char *)malloc(100*sizeof(char));53 if (data == NULL) {exit(-1);}54 if(5!=5)55 {56 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */57 printLine("Benign, fixed string");58 }59 else60 {61 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */62 memset(data, 'A', 50-1); /* fill with 'A's */63 data[50-1] = '\0'; /* null terminate */64 }65 {66 char dest[50] = "";67 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */68 memcpy(dest, data, strlen(data)*sizeof(char));69 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */70 printLine(data);71 free(data);72 }73}7475/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */76static void goodG2B2()77{78 char * data;79 data = (char *)malloc(100*sizeof(char));80 if (data == NULL) {exit(-1);}81 if(5==5)82 {83 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */84 memset(data, 'A', 50-1); /* fill with 'A's */85 data[50-1] = '\0'; /* null terminate */86 }87 {88 char dest[50] = "";89 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */90 memcpy(dest, data, strlen(data)*sizeof(char));91 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */92 printLine(data);93 free(data);94 }95}9697void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_03_good()98{99 goodG2B1();100 goodG2B2();101}102103#endif /* OMITGOOD */104105/* Below is the main(). It is only used when building this testcase on106 * its own for testing or for building a binary to use in testing binary107 * analysis tools. It is not used when compiling all the testcases as one108 * application, which is how source code analysis tools are tested.109 */110111#ifdef INCLUDEMAIN112113int main(int argc, char * argv[])114{115 /* seed randomness */116 srand( (unsigned)time(NULL) );117#ifndef OMITGOOD118 printLine("Calling good()...");119 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_03_good();120 printLine("Finished good()");121#endif /* OMITGOOD */122#ifndef OMITBAD123 printLine("Calling bad()...");124 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_03_bad();125 printLine("Finished bad()");126#endif /* OMITBAD */127 return 0;128}129130#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__malloc_char_loop_68b.c3Label Definition File: CWE126_Buffer_Overread__malloc.label.xml4Template File: sources-sink-68b.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Use a small buffer10 * GoodSource: Use a large buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different source files14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021extern char * CWE126_Buffer_Overread__malloc_char_loop_68_badData;22extern char * CWE126_Buffer_Overread__malloc_char_loop_68_goodG2BData;2324/* all the sinks are the same, we just want to know where the hit originated if a tool flags one */2526#ifndef OMITBAD2728void CWE126_Buffer_Overread__malloc_char_loop_68b_badSink()29{✓ 30 char * data = CWE126_Buffer_Overread__malloc_char_loop_68_badData;31 {✓ 32 size_t i, destLen;✓ 33 char dest[100];✓ 34 memset(dest, 'C', 100-1);✓ 35 dest[100-1] = '\0'; /* null terminate */✓ 36 destLen = strlen(dest);37 /* POTENTIAL FLAW: using length of the dest where data38 * could be smaller than dest causing buffer overread */✓ 39 for (i = 0; i < destLen; i++)40 {✓ 41 dest[i] = data[i];❗VULN42 }✓ 43 dest[100-1] = '\0';✓ 44 printLine(dest);✓ 45 free(data);46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodG2B uses the GoodSource with the BadSink */54void CWE126_Buffer_Overread__malloc_char_loop_68b_goodG2BSink()55{56 char * data = CWE126_Buffer_Overread__malloc_char_loop_68_goodG2BData;57 {58 size_t i, destLen;59 char dest[100];60 memset(dest, 'C', 100-1);61 dest[100-1] = '\0'; /* null terminate */62 destLen = strlen(dest);63 /* POTENTIAL FLAW: using length of the dest where data64 * could be smaller than dest causing buffer overread */65 for (i = 0; i < destLen; i++)66 {67 dest[i] = data[i];68 }69 dest[100-1] = '\0';70 printLine(dest);71 free(data);72 }73}7475#endif /* OMITGOOD */
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 7 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__wchar_t_declare_memcpy_68b.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-68b.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different source files14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021extern wchar_t * CWE127_Buffer_Underread__wchar_t_declare_memcpy_68_badData;22extern wchar_t * CWE127_Buffer_Underread__wchar_t_declare_memcpy_68_goodG2BData;2324/* all the sinks are the same, we just want to know where the hit originated if a tool flags one */2526#ifndef OMITBAD2728void CWE127_Buffer_Underread__wchar_t_declare_memcpy_68b_badSink()29{✓ 30 wchar_t * data = CWE127_Buffer_Underread__wchar_t_declare_memcpy_68_badData;31 {✓ 32 wchar_t dest[100];✓ 33 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 34 dest[100-1] = L'\0'; /* null terminate */35 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 36 memcpy(dest, data, 100*sizeof(wchar_t));❗VULN37 /* Ensure null termination */✓ 38 dest[100-1] = L'\0';✓ 39 printWLine(dest);40 }41}4243#endif /* OMITBAD */4445#ifndef OMITGOOD4647/* goodG2B uses the GoodSource with the BadSink */48void CWE127_Buffer_Underread__wchar_t_declare_memcpy_68b_goodG2BSink()49{50 wchar_t * data = CWE127_Buffer_Underread__wchar_t_declare_memcpy_68_goodG2BData;51 {52 wchar_t dest[100];53 wmemset(dest, L'C', 100-1); /* fill with 'C's */54 dest[100-1] = L'\0'; /* null terminate */55 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */56 memcpy(dest, data, 100*sizeof(wchar_t));57 /* Ensure null termination */58 dest[100-1] = L'\0';59 printWLine(dest);60 }61}6263#endif /* OMITGOOD */
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_14.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml4Template File: sources-sink-14.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_14_bad()24{✓ 25 char * data;✓ 26 data = (char *)malloc(100*sizeof(char));✓ 27 if (data == NULL) {exit(-1);}✓ 28 if(globalFive==5)29 {30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 31 memset(data, 'A', 100-1); /* fill with 'A's */✓ 32 data[100-1] = '\0'; /* null terminate */33 }34 {✓ 35 char dest[50] = "";36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 37 memcpy(dest, data, strlen(data)*sizeof(char));❗VULN✓ 38 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 39 printLine(data);✓ 40 free(data);41 }42}4344#endif /* OMITBAD */4546#ifndef OMITGOOD4748/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */49static void goodG2B1()50{51 char * data;52 data = (char *)malloc(100*sizeof(char));53 if (data == NULL) {exit(-1);}54 if(globalFive!=5)55 {56 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */57 printLine("Benign, fixed string");58 }59 else60 {61 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */62 memset(data, 'A', 50-1); /* fill with 'A's */63 data[50-1] = '\0'; /* null terminate */64 }65 {66 char dest[50] = "";67 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */68 memcpy(dest, data, strlen(data)*sizeof(char));69 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */70 printLine(data);71 free(data);72 }73}7475/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */76static void goodG2B2()77{78 char * data;79 data = (char *)malloc(100*sizeof(char));80 if (data == NULL) {exit(-1);}81 if(globalFive==5)82 {83 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */84 memset(data, 'A', 50-1); /* fill with 'A's */85 data[50-1] = '\0'; /* null terminate */86 }87 {88 char dest[50] = "";89 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */90 memcpy(dest, data, strlen(data)*sizeof(char));91 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */92 printLine(data);93 free(data);94 }95}9697void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_14_good()98{99 goodG2B1();100 goodG2B2();101}102103#endif /* OMITGOOD */104105/* Below is the main(). It is only used when building this testcase on106 * its own for testing or for building a binary to use in testing binary107 * analysis tools. It is not used when compiling all the testcases as one108 * application, which is how source code analysis tools are tested.109 */110111#ifdef INCLUDEMAIN112113int main(int argc, char * argv[])114{115 /* seed randomness */116 srand( (unsigned)time(NULL) );117#ifndef OMITGOOD118 printLine("Calling good()...");119 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_14_good();120 printLine("Finished good()");121#endif /* OMITGOOD */122#ifndef OMITBAD123 printLine("Calling bad()...");124 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_14_bad();125 printLine("Finished bad()");126#endif /* OMITBAD */127 return 0;128}129130#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memmove_06.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-06.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is declared "const", so a tool should be able22 * to identify that reads of this will always give its initialized value. */23static const int STATIC_CONST_FIVE = 5;2425#ifndef OMITBAD2627void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memmove_06_bad()28{✓ 29 char * data;✓ 30 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));✓ 31 data = dataBuffer;✓ 32 if(STATIC_CONST_FIVE==5)33 {34 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 35 memset(data, 'A', 100-1); /* fill with 'A's */✓ 36 data[100-1] = '\0'; /* null terminate */37 }38 {✓ 39 char dest[50] = "";40 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 41 memmove(dest, data, strlen(data)*sizeof(char));❗VULN✓ 42 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 43 printLine(data);44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */52static void goodG2B1()53{54 char * data;55 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));56 data = dataBuffer;57 if(STATIC_CONST_FIVE!=5)58 {59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */60 printLine("Benign, fixed string");61 }62 else63 {64 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */65 memset(data, 'A', 50-1); /* fill with 'A's */66 data[50-1] = '\0'; /* null terminate */67 }68 {69 char dest[50] = "";70 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */71 memmove(dest, data, strlen(data)*sizeof(char));72 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */73 printLine(data);74 }75}7677/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */78static void goodG2B2()79{80 char * data;81 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));82 data = dataBuffer;83 if(STATIC_CONST_FIVE==5)84 {85 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */86 memset(data, 'A', 50-1); /* fill with 'A's */87 data[50-1] = '\0'; /* null terminate */88 }89 {90 char dest[50] = "";91 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */92 memmove(dest, data, strlen(data)*sizeof(char));93 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */94 printLine(data);95 }96}9798void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memmove_06_good()99{100 goodG2B1();101 goodG2B2();102}103104#endif /* OMITGOOD */105106/* Below is the main(). It is only used when building this testcase on107 * its own for testing or for building a binary to use in testing binary108 * analysis tools. It is not used when compiling all the testcases as one109 * application, which is how source code analysis tools are tested.110 */111112#ifdef INCLUDEMAIN113114int main(int argc, char * argv[])115{116 /* seed randomness */117 srand( (unsigned)time(NULL) );118#ifndef OMITGOOD119 printLine("Calling good()...");120 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memmove_06_good();121 printLine("Finished good()");122#endif /* OMITGOOD */123#ifndef OMITBAD124 printLine("Calling bad()...");125 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memmove_06_bad();126 printLine("Finished bad()");127#endif /* OMITBAD */128 return 0;129}130131#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-34.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sinks: memmove12 * BadSink : Copy string to data using memmove13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021typedef union22{23 char * unionFirst;24 char * unionSecond;25} CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_unionType;2627#ifndef OMITBAD2829void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_bad()30{✓ 31 char * data;✓ 32 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_unionType myUnion;✓ 33 char dataBadBuffer[50];✓ 34 char dataGoodBuffer[100];35 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination36 * buffer in various memory copying functions using a "large" source buffer. */✓ 37 data = dataBadBuffer;✓ 38 data[0] = '\0'; /* null terminate */✓ 39 myUnion.unionFirst = data;40 {✓ 41 char * data = myUnion.unionSecond;42 {✓ 43 char source[100];✓ 44 memset(source, 'C', 100-1); /* fill with 'C's */✓ 45 source[100-1] = '\0'; /* null terminate */46 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 47 memmove(data, source, 100*sizeof(char));❗VULN✓ 48 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 49 printLine(data);50 }51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B() uses the GoodSource with the BadSink */59static void goodG2B()60{61 char * data;62 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_unionType myUnion;63 char dataBadBuffer[50];64 char dataGoodBuffer[100];65 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */66 data = dataGoodBuffer;67 data[0] = '\0'; /* null terminate */68 myUnion.unionFirst = data;69 {70 char * data = myUnion.unionSecond;71 {72 char source[100];73 memset(source, 'C', 100-1); /* fill with 'C's */74 source[100-1] = '\0'; /* null terminate */75 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */76 memmove(data, source, 100*sizeof(char));77 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */78 printLine(data);79 }80 }81}8283void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_good()84{85 goodG2B();86}8788#endif /* OMITGOOD */8990/* Below is the main(). It is only used when building this testcase on91 * its own for testing or for building a binary to use in testing binary92 * analysis tools. It is not used when compiling all the testcases as one93 * application, which is how source code analysis tools are tested.94 */95#ifdef INCLUDEMAIN9697int main(int argc, char * argv[])98{99 /* seed randomness */100 srand( (unsigned)time(NULL) );101#ifndef OMITGOOD102 printLine("Calling good()...");103 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_good();104 printLine("Finished good()");105#endif /* OMITGOOD */106#ifndef OMITBAD107 printLine("Calling bad()...");108 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_bad();109 printLine("Finished bad()");110#endif /* OMITBAD */111 return 0;112}113114#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_ncpy_01.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-01.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: ncpy12 * BadSink : Copy data to string using wcsncpy13 * Flow Variant: 01 Baseline14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_ncpy_01_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t dataBuffer[100];✓ 27 data = dataBuffer;28 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 29 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 30 data[100-1] = L'\0'; /* null terminate */31 {✓ 32 wchar_t dest[50] = L"";33 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 34 wcsncpy(dest, data, wcslen(data));❗VULN✓ 35 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 36 printWLine(data);37 }38}3940#endif /* OMITBAD */4142#ifndef OMITGOOD4344/* goodG2B uses the GoodSource with the BadSink */45static void goodG2B()46{47 wchar_t * data;48 wchar_t dataBuffer[100];49 data = dataBuffer;50 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */51 wmemset(data, L'A', 50-1); /* fill with L'A's */52 data[50-1] = L'\0'; /* null terminate */53 {54 wchar_t dest[50] = L"";55 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */56 wcsncpy(dest, data, wcslen(data));57 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */58 printWLine(data);59 }60}6162void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_ncpy_01_good()63{64 goodG2B();65}6667#endif /* OMITGOOD */6869/* Below is the main(). It is only used when building this testcase on70 * its own for testing or for building a binary to use in testing binary71 * analysis tools. It is not used when compiling all the testcases as one72 * application, which is how source code analysis tools are tested.73 */7475#ifdef INCLUDEMAIN7677int main(int argc, char * argv[])78{79 /* seed randomness */80 srand( (unsigned)time(NULL) );81#ifndef OMITGOOD82 printLine("Calling good()...");83 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_ncpy_01_good();84 printLine("Finished good()");85#endif /* OMITGOOD */86#ifndef OMITBAD87 printLine("Calling bad()...");88 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_ncpy_01_bad();89 printLine("Finished bad()");90#endif /* OMITBAD */91 return 0;92}9394#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_12.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml4Template File: sources-sink-12.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory without using sizeof(int)10 * GoodSource: Allocate memory using sizeof(int)11 * Sink: memmove12 * BadSink : Copy array to data using memmove()13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_12_bad()22{✓ 23 int * data;✓ 24 data = NULL;✓ 25 if(globalReturnsTrueOrFalse())26 {27 /* FLAW: Allocate memory without using sizeof(int) */✓ 28 data = (int *)malloc(10);✓ 29 if (data == NULL) {exit(-1);}30 }31 else32 {33 /* FIX: Allocate memory using sizeof(int) */✓ 34 data = (int *)malloc(10*sizeof(int));✓ 35 if (data == NULL) {exit(-1);}36 }37 {✓ 38 int source[10] = {0};39 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */✓ 40 memmove(data, source, 10*sizeof(int));❗VULN✓ 41 printIntLine(data[0]);✓ 42 free(data);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B() - use goodsource and badsink by changing the "if" so that51 * both branches use the GoodSource */52static void goodG2B()53{54 int * data;55 data = NULL;56 if(globalReturnsTrueOrFalse())57 {58 /* FIX: Allocate memory using sizeof(int) */59 data = (int *)malloc(10*sizeof(int));60 if (data == NULL) {exit(-1);}61 }62 else63 {64 /* FIX: Allocate memory using sizeof(int) */65 data = (int *)malloc(10*sizeof(int));66 if (data == NULL) {exit(-1);}67 }68 {69 int source[10] = {0};70 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */71 memmove(data, source, 10*sizeof(int));72 printIntLine(data[0]);73 free(data);74 }75}7677void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_12_good()78{79 goodG2B();80}8182#endif /* OMITGOOD */8384/* Below is the main(). It is only used when building this testcase on85 * its own for testing or for building a binary to use in testing binary86 * analysis tools. It is not used when compiling all the testcases as one87 * application, which is how source code analysis tools are tested.88 */8990#ifdef INCLUDEMAIN9192int main(int argc, char * argv[])93{94 /* seed randomness */95 srand( (unsigned)time(NULL) );96#ifndef OMITGOOD97 printLine("Calling good()...");98 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_12_good();99 printLine("Finished good()");100#endif /* OMITGOOD */101#ifndef OMITBAD102 printLine("Calling bad()...");103 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_12_bad();104 printLine("Finished bad()");105#endif /* OMITBAD */106 return 0;107}108109#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_memmove_12.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml4Template File: sources-sink-12.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sink: memmove12 * BadSink : Copy string to data using memmove()13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING L"AAAAAAAAAA"2526#ifndef OMITBAD2728void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_memmove_12_bad()29{✓ 30 wchar_t * data;✓ 31 data = NULL;✓ 32 if(globalReturnsTrueOrFalse())33 {34 /* FLAW: Did not leave space for a null terminator */✓ 35 data = (wchar_t *)malloc(10*sizeof(wchar_t));✓ 36 if (data == NULL) {exit(-1);}37 }38 else39 {40 /* FIX: Allocate space for a null terminator */✓ 41 data = (wchar_t *)malloc((10+1)*sizeof(wchar_t));✓ 42 if (data == NULL) {exit(-1);}43 }44 {✓ 45 wchar_t source[10+1] = SRC_STRING;46 /* Copy length + 1 to include NUL terminator from source */47 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 48 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));❗VULN✓ 49 printWLine(data);✓ 50 free(data);51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B() - use goodsource and badsink by changing the "if" so that59 * both branches use the GoodSource */60static void goodG2B()61{62 wchar_t * data;63 data = NULL;64 if(globalReturnsTrueOrFalse())65 {66 /* FIX: Allocate space for a null terminator */67 data = (wchar_t *)malloc((10+1)*sizeof(wchar_t));68 if (data == NULL) {exit(-1);}69 }70 else71 {72 /* FIX: Allocate space for a null terminator */73 data = (wchar_t *)malloc((10+1)*sizeof(wchar_t));74 if (data == NULL) {exit(-1);}75 }76 {77 wchar_t source[10+1] = SRC_STRING;78 /* Copy length + 1 to include NUL terminator from source */79 /* POTENTIAL FLAW: data may not have enough space to hold source */80 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));81 printWLine(data);82 free(data);83 }84}8586void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_memmove_12_good()87{88 goodG2B();89}9091#endif /* OMITGOOD */9293/* Below is the main(). It is only used when building this testcase on94 * its own for testing or for building a binary to use in testing binary95 * analysis tools. It is not used when compiling all the testcases as one96 * application, which is how source code analysis tools are tested.97 */9899#ifdef INCLUDEMAIN100101int main(int argc, char * argv[])102{103 /* seed randomness */104 srand( (unsigned)time(NULL) );105#ifndef OMITGOOD106 printLine("Calling good()...");107 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_memmove_12_good();108 printLine("Finished good()");109#endif /* OMITGOOD */110#ifndef OMITBAD111 printLine("Calling bad()...");112 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_memmove_12_bad();113 printLine("Finished bad()");114#endif /* OMITBAD */115 return 0;116}117118#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 46 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__CWE129_listen_socket_18.c3Label Definition File: CWE126_Buffer_Overread__CWE129.label.xml4Template File: sources-sinks-18.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Overread9 * BadSource: listen_socket Read data using a listen socket (server side)10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 18 Control flow: goto statements15 *16 * */1718#include "std_testcase.h"1920#ifdef _WIN3221#include <winsock2.h>22#include <windows.h>23#include <direct.h>24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */25#define CLOSE_SOCKET closesocket26#else27#include <sys/types.h>28#include <sys/socket.h>29#include <netinet/in.h>30#include <arpa/inet.h>31#include <unistd.h>32#define INVALID_SOCKET -133#define SOCKET_ERROR -134#define CLOSE_SOCKET close35#define SOCKET int36#endif3738#define TCP_PORT 2701539#define LISTEN_BACKLOG 540#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)4142#ifndef OMITBAD4344void CWE126_Buffer_Overread__CWE129_listen_socket_18_bad()45{✓ 46 int data;47 /* Initialize data */✓ 48 data = -1;✓ 49 goto source;✓ 50source:51 {52#ifdef _WIN32✓ 53 WSADATA wsaData;✓ 54 int wsaDataInit = 0;55#endif✓ 56 int recvResult;✓ 57 struct sockaddr_in service;✓ 58 SOCKET listenSocket = INVALID_SOCKET;✓ 59 SOCKET acceptSocket = INVALID_SOCKET;✓ 60 char inputBuffer[CHAR_ARRAY_SIZE];61 do62 {63#ifdef _WIN32✓ 64 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)65 {✓ 66 break;67 }✓ 68 wsaDataInit = 1;69#endif70 /* POTENTIAL FLAW: Read data using a listen socket */✓ 71 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);✓ 72 if (listenSocket == INVALID_SOCKET)73 {✓ 74 break;75 }✓ 76 memset(&service, 0, sizeof(service));✓ 77 service.sin_family = AF_INET;✓ 78 service.sin_addr.s_addr = INADDR_ANY;✓ 79 service.sin_port = htons(TCP_PORT);✓ 80 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)81 {✓ 82 break;83 }✓ 84 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)85 {✓ 86 break;87 }✓ 88 acceptSocket = accept(listenSocket, NULL, NULL);✓ 89 if (acceptSocket == SOCKET_ERROR)90 {✓ 91 break;92 }93 /* Abort on error or the connection was closed */✓ 94 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);✓ 95 if (recvResult == SOCKET_ERROR || recvResult == 0)96 {✓ 97 break;98 }99 /* NUL-terminate the string */✓100 inputBuffer[recvResult] = '\0';101 /* Convert to int */✓102 data = atoi(inputBuffer);103 }✓104 while (0);✓105 if (listenSocket != INVALID_SOCKET)106 {✓107 CLOSE_SOCKET(listenSocket);108 }✓109 if (acceptSocket != INVALID_SOCKET)110 {✓111 CLOSE_SOCKET(acceptSocket);112 }113#ifdef _WIN32✓114 if (wsaDataInit)115 {✓116 WSACleanup();117 }118#endif119 }✓120 goto sink;✓121sink:122 {✓123 int buffer[10] = { 0 };124 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound125 * This check does not check the upper bounds of the array index */✓126 if (data >= 0)127 {✓128 printIntLine(buffer[data]);❗VULN129 }130 else131 {✓132 printLine("ERROR: Array index is negative");133 }134 }135}136137#endif /* OMITBAD */138139#ifndef OMITGOOD140141/* goodB2G() - use badsource and goodsink by reversing the blocks on the second goto statement */142static void goodB2G()143{144 int data;145 /* Initialize data */146 data = -1;147 goto source;148source:149 {150#ifdef _WIN32151 WSADATA wsaData;152 int wsaDataInit = 0;153#endif154 int recvResult;155 struct sockaddr_in service;156 SOCKET listenSocket = INVALID_SOCKET;157 SOCKET acceptSocket = INVALID_SOCKET;158 char inputBuffer[CHAR_ARRAY_SIZE];159 do160 {161#ifdef _WIN32162 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)163 {164 break;165 }166 wsaDataInit = 1;167#endif168 /* POTENTIAL FLAW: Read data using a listen socket */169 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);170 if (listenSocket == INVALID_SOCKET)171 {172 break;173 }174 memset(&service, 0, sizeof(service));175 service.sin_family = AF_INET;176 service.sin_addr.s_addr = INADDR_ANY;177 service.sin_port = htons(TCP_PORT);178 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)179 {180 break;181 }182 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)183 {184 break;185 }186 acceptSocket = accept(listenSocket, NULL, NULL);187 if (acceptSocket == SOCKET_ERROR)188 {189 break;190 }191 /* Abort on error or the connection was closed */192 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);193 if (recvResult == SOCKET_ERROR || recvResult == 0)194 {195 break;196 }197 /* NUL-terminate the string */198 inputBuffer[recvResult] = '\0';199 /* Convert to int */200 data = atoi(inputBuffer);201 }202 while (0);203 if (listenSocket != INVALID_SOCKET)204 {205 CLOSE_SOCKET(listenSocket);206 }207 if (acceptSocket != INVALID_SOCKET)208 {209 CLOSE_SOCKET(acceptSocket);210 }211#ifdef _WIN32212 if (wsaDataInit)213 {214 WSACleanup();215 }216#endif217 }218 goto sink;219sink:220 {221 int buffer[10] = { 0 };222 /* FIX: Properly validate the array index and prevent a buffer overread */223 if (data >= 0 && data < (10))224 {225 printIntLine(buffer[data]);226 }227 else228 {229 printLine("ERROR: Array index is out-of-bounds");230 }231 }232}233234/* goodG2B() - use goodsource and badsink by reversing the blocks on the first goto statement */235static void goodG2B()236{237 int data;238 /* Initialize data */239 data = -1;240 goto source;241source:242 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to243 * access an index of the array in the sink that is out-of-bounds */244 data = 7;245 goto sink;246sink:247 {248 int buffer[10] = { 0 };249 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound250 * This check does not check the upper bounds of the array index */251 if (data >= 0)252 {253 printIntLine(buffer[data]);254 }255 else256 {257 printLine("ERROR: Array index is negative");258 }259 }260}261262void CWE126_Buffer_Overread__CWE129_listen_socket_18_good()263{264 goodB2G();265 goodG2B();266}267268#endif /* OMITGOOD */269270/* Below is the main(). It is only used when building this testcase on271 its own for testing or for building a binary to use in testing binary272 analysis tools. It is not used when compiling all the testcases as one273 application, which is how source code analysis tools are tested. */274275#ifdef INCLUDEMAIN276277int main(int argc, char * argv[])278{279 /* seed randomness */280 srand( (unsigned)time(NULL) );281#ifndef OMITGOOD282 printLine("Calling good()...");283 CWE126_Buffer_Overread__CWE129_listen_socket_18_good();284 printLine("Finished good()");285#endif /* OMITGOOD */286#ifndef OMITBAD287 printLine("Calling bad()...");288 CWE126_Buffer_Overread__CWE129_listen_socket_18_bad();289 printLine("Finished bad()");290#endif /* OMITBAD */291 return 0;292}293294#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 3 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__placement_new_declare_10.cpp3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__placement_new.label.xml4Template File: sources-sinks-10.tmpl.cpp5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data to a small buffer10 * GoodSource: Initialize data to a buffer large enough to hold a TwoIntsClass11 * Sinks:12 * GoodSink: Allocate a new class using placement new and a buffer that is large enough to hold the class13 * BadSink : Allocate a new class using placement new and a buffer that is too small14 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)15 *16 * */1718#include "std_testcase.h"1920namespace CWE121_Stack_Based_Buffer_Overflow__placement_new_declare_1021{2223#ifndef OMITBAD2425void bad()26{✓ 27 char * data;✓ 28 char dataBadBuffer[sizeof(OneIntClass)];✓ 29 char dataGoodBuffer[sizeof(TwoIntsClass)];✓ 30 if(globalTrue)31 {32 /* POTENTIAL FLAW: Initialize data to a buffer smaller than the sizeof(TwoIntsClass) */✓ 33 data = dataBadBuffer;34 }✓ 35 if(globalTrue)36 {37 {38 /* The Visual C++ compiler generates a warning if you initialize the class with ().39 * This will cause the compile to default-initialize the object.40 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx41 */42 /* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */✓ 43 TwoIntsClass * classTwo = new(data) TwoIntsClass;44 /* Initialize and make use of the class */✗ 45 classTwo->intOne = 5;✓ 46 classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */❗VULN✗ 47 printIntLine(classTwo->intOne);48 /* skip printing classTwo->intTwo since that could be a buffer overread */49 }50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodB2G1() - use badsource and goodsink by changing the second globalTrue to globalFalse */58static void goodB2G1()59{60 char * data;61 char dataBadBuffer[sizeof(OneIntClass)];62 char dataGoodBuffer[sizeof(TwoIntsClass)];63 if(globalTrue)64 {65 /* POTENTIAL FLAW: Initialize data to a buffer smaller than the sizeof(TwoIntsClass) */66 data = dataBadBuffer;67 }68 if(globalFalse)69 {70 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */71 printLine("Benign, fixed string");72 }73 else74 {75 {76 /* The Visual C++ compiler generates a warning if you initialize the class with ().77 * This will cause the compile to default-initialize the object.78 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx79 */80 /* FIX: data will at least be the sizeof(OneIntClass) */81 OneIntClass * classOne = new(data) OneIntClass;82 /* Initialize and make use of the class */83 classOne->intOne = 5;84 printIntLine(classOne->intOne);85 }86 }87}8889/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */90static void goodB2G2()91{92 char * data;93 char dataBadBuffer[sizeof(OneIntClass)];94 char dataGoodBuffer[sizeof(TwoIntsClass)];95 if(globalTrue)96 {97 /* POTENTIAL FLAW: Initialize data to a buffer smaller than the sizeof(TwoIntsClass) */98 data = dataBadBuffer;99 }100 if(globalTrue)101 {102 {103 /* The Visual C++ compiler generates a warning if you initialize the class with ().104 * This will cause the compile to default-initialize the object.105 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx106 */107 /* FIX: data will at least be the sizeof(OneIntClass) */108 OneIntClass * classOne = new(data) OneIntClass;109 /* Initialize and make use of the class */110 classOne->intOne = 5;111 printIntLine(classOne->intOne);112 }113 }114}115116/* goodG2B1() - use goodsource and badsink by changing the first globalTrue to globalFalse */117static void goodG2B1()118{119 char * data;120 char dataBadBuffer[sizeof(OneIntClass)];121 char dataGoodBuffer[sizeof(TwoIntsClass)];122 if(globalFalse)123 {124 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */125 printLine("Benign, fixed string");126 }127 else128 {129 /* FIX: Initialize to a buffer at least the sizeof(TwoIntsClass) */130 data = dataGoodBuffer;131 }132 if(globalTrue)133 {134 {135 /* The Visual C++ compiler generates a warning if you initialize the class with ().136 * This will cause the compile to default-initialize the object.137 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx138 */139 /* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */140 TwoIntsClass * classTwo = new(data) TwoIntsClass;141 /* Initialize and make use of the class */142 classTwo->intOne = 5;143 classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */144 printIntLine(classTwo->intOne);145 /* skip printing classTwo->intTwo since that could be a buffer overread */146 }147 }148}149150/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */151static void goodG2B2()152{153 char * data;154 char dataBadBuffer[sizeof(OneIntClass)];155 char dataGoodBuffer[sizeof(TwoIntsClass)];156 if(globalTrue)157 {158 /* FIX: Initialize to a buffer at least the sizeof(TwoIntsClass) */159 data = dataGoodBuffer;160 }161 if(globalTrue)162 {163 {164 /* The Visual C++ compiler generates a warning if you initialize the class with ().165 * This will cause the compile to default-initialize the object.166 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx167 */168 /* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */169 TwoIntsClass * classTwo = new(data) TwoIntsClass;170 /* Initialize and make use of the class */171 classTwo->intOne = 5;172 classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */173 printIntLine(classTwo->intOne);174 /* skip printing classTwo->intTwo since that could be a buffer overread */175 }176 }177}178179void good()180{181 goodB2G1();182 goodB2G2();183 goodG2B1();184 goodG2B2();185}186187#endif /* OMITGOOD */188189} /* close namespace */190191/* Below is the main(). It is only used when building this testcase on192 its own for testing or for building a binary to use in testing binary193 analysis tools. It is not used when compiling all the testcases as one194 application, which is how source code analysis tools are tested. */195196#ifdef INCLUDEMAIN197198using namespace CWE121_Stack_Based_Buffer_Overflow__placement_new_declare_10; /* so that we can use good and bad easily */199200int main(int argc, char * argv[])201{202 /* seed randomness */203 srand( (unsigned)time(NULL) );204#ifndef OMITGOOD205 printLine("Calling good()...");206 good();207 printLine("Finished good()");208#endif /* OMITGOOD */209#ifndef OMITBAD210 printLine("Calling bad()...");211 bad();212 printLine("Finished bad()");213#endif /* OMITBAD */214 return 0;215}216217#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_21.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-21.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: ncat12 * BadSink : Copy string to data using wcsncat13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_2122{2324#ifndef OMITBAD2526/* The static variable below is used to drive control flow in the source function */27static int badStatic = 0;2829static wchar_t * badSource(wchar_t * data)30{31 if(badStatic)32 {33 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */34 data = new wchar_t[50];35 data[0] = L'\0'; /* null terminate */36 }37 return data;38}3940void bad()41{✓ 42 wchar_t * data;✓ 43 data = NULL;✓ 44 badStatic = 1; /* true */✓ 45 data = badSource(data);46 {✓ 47 wchar_t source[100];✓ 48 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 49 source[100-1] = L'\0'; /* null terminate */50 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */✓ 51 wcsncat(data, source, 100);❗VULN✓ 52 printWLine(data);✓ 53 delete [] data;54 }✓ 55 ;56}5758#endif /* OMITBAD */5960#ifndef OMITGOOD6162/* The static variables below are used to drive control flow in the source functions. */63static int goodG2B1Static = 0;64static int goodG2B2Static = 0;6566/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */67static wchar_t * goodG2B1Source(wchar_t * data)68{69 if(goodG2B1Static)70 {71 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */72 printLine("Benign, fixed string");73 }74 else75 {76 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */77 data = new wchar_t[100];78 data[0] = L'\0'; /* null terminate */79 }80 return data;81}8283static void goodG2B1()84{85 wchar_t * data;86 data = NULL;87 goodG2B1Static = 0; /* false */88 data = goodG2B1Source(data);89 {90 wchar_t source[100];91 wmemset(source, L'C', 100-1); /* fill with L'C's */92 source[100-1] = L'\0'; /* null terminate */93 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */94 wcsncat(data, source, 100);95 printWLine(data);96 delete [] data;97 }98 ;99}100101/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */102static wchar_t * goodG2B2Source(wchar_t * data)103{104 if(goodG2B2Static)105 {106 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */107 data = new wchar_t[100];108 data[0] = L'\0'; /* null terminate */109 }110 return data;111}112113static void goodG2B2()114{115 wchar_t * data;116 data = NULL;117 goodG2B2Static = 1; /* true */118 data = goodG2B2Source(data);119 {120 wchar_t source[100];121 wmemset(source, L'C', 100-1); /* fill with L'C's */122 source[100-1] = L'\0'; /* null terminate */123 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */124 wcsncat(data, source, 100);125 printWLine(data);126 delete [] data;127 }128 ;129}130131void good()132{133 goodG2B1();134 goodG2B2();135}136137#endif /* OMITGOOD */138139} /* close namespace */140141/* Below is the main(). It is only used when building this testcase on142 its own for testing or for building a binary to use in testing binary143 analysis tools. It is not used when compiling all the testcases as one144 application, which is how source code analysis tools are tested. */145146#ifdef INCLUDEMAIN147148using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_21; /* so that we can use good and bad easily */149150int main(int argc, char * argv[])151{152 /* seed randomness */153 srand( (unsigned)time(NULL) );154#ifndef OMITGOOD155 printLine("Calling good()...");156 good();157 printLine("Finished good()");158#endif /* OMITGOOD */159#ifndef OMITBAD160 printLine("Calling bad()...");161 bad();162 printLine("Finished bad()");163#endif /* OMITBAD */164 return 0;165}166167#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_large_04.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml4Template File: sources-sinks-04.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: large Large index value that is greater than 10-110 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)15 *16 * */1718#include "std_testcase.h"1920/* The two variables below are declared "const", so a tool should21 be able to identify that reads of these will always return their22 initialized values. */23static const int STATIC_CONST_TRUE = 1; /* true */24static const int STATIC_CONST_FALSE = 0; /* false */2526#ifndef OMITBAD2728void CWE121_Stack_Based_Buffer_Overflow__CWE129_large_04_bad()29{✓ 30 int data;31 /* Initialize data */✓ 32 data = -1;✓ 33 if(STATIC_CONST_TRUE)34 {35 /* POTENTIAL FLAW: Use an invalid index */✓ 36 data = 10;37 }✓ 38 if(STATIC_CONST_TRUE)39 {40 {✓ 41 int i;✓ 42 int buffer[10] = { 0 };43 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound44 * This code does check to see if the array index is negative */✓ 45 if (data >= 0)46 {✓ 47 buffer[data] = 1;❗VULN48 /* Print the array values */✓ 49 for(i = 0; i < 10; i++)50 {✓ 51 printIntLine(buffer[i]);52 }53 }54 else55 {✓ 56 printLine("ERROR: Array index is negative.");57 }58 }59 }60}6162#endif /* OMITBAD */6364#ifndef OMITGOOD6566/* goodB2G1() - use badsource and goodsink by changing the second STATIC_CONST_TRUE to STATIC_CONST_FALSE */67static void goodB2G1()68{69 int data;70 /* Initialize data */71 data = -1;72 if(STATIC_CONST_TRUE)73 {74 /* POTENTIAL FLAW: Use an invalid index */75 data = 10;76 }77 if(STATIC_CONST_FALSE)78 {79 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */80 printLine("Benign, fixed string");81 }82 else83 {84 {85 int i;86 int buffer[10] = { 0 };87 /* FIX: Properly validate the array index and prevent a buffer overflow */88 if (data >= 0 && data < (10))89 {90 buffer[data] = 1;91 /* Print the array values */92 for(i = 0; i < 10; i++)93 {94 printIntLine(buffer[i]);95 }96 }97 else98 {99 printLine("ERROR: Array index is out-of-bounds");100 }101 }102 }103}104105/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */106static void goodB2G2()107{108 int data;109 /* Initialize data */110 data = -1;111 if(STATIC_CONST_TRUE)112 {113 /* POTENTIAL FLAW: Use an invalid index */114 data = 10;115 }116 if(STATIC_CONST_TRUE)117 {118 {119 int i;120 int buffer[10] = { 0 };121 /* FIX: Properly validate the array index and prevent a buffer overflow */122 if (data >= 0 && data < (10))123 {124 buffer[data] = 1;125 /* Print the array values */126 for(i = 0; i < 10; i++)127 {128 printIntLine(buffer[i]);129 }130 }131 else132 {133 printLine("ERROR: Array index is out-of-bounds");134 }135 }136 }137}138139/* goodG2B1() - use goodsource and badsink by changing the first STATIC_CONST_TRUE to STATIC_CONST_FALSE */140static void goodG2B1()141{142 int data;143 /* Initialize data */144 data = -1;145 if(STATIC_CONST_FALSE)146 {147 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */148 printLine("Benign, fixed string");149 }150 else151 {152 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to153 * access an index of the array in the sink that is out-of-bounds */154 data = 7;155 }156 if(STATIC_CONST_TRUE)157 {158 {159 int i;160 int buffer[10] = { 0 };161 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound162 * This code does check to see if the array index is negative */163 if (data >= 0)164 {165 buffer[data] = 1;166 /* Print the array values */167 for(i = 0; i < 10; i++)168 {169 printIntLine(buffer[i]);170 }171 }172 else173 {174 printLine("ERROR: Array index is negative.");175 }176 }177 }178}179180/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */181static void goodG2B2()182{183 int data;184 /* Initialize data */185 data = -1;186 if(STATIC_CONST_TRUE)187 {188 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to189 * access an index of the array in the sink that is out-of-bounds */190 data = 7;191 }192 if(STATIC_CONST_TRUE)193 {194 {195 int i;196 int buffer[10] = { 0 };197 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound198 * This code does check to see if the array index is negative */199 if (data >= 0)200 {201 buffer[data] = 1;202 /* Print the array values */203 for(i = 0; i < 10; i++)204 {205 printIntLine(buffer[i]);206 }207 }208 else209 {210 printLine("ERROR: Array index is negative.");211 }212 }213 }214}215216void CWE121_Stack_Based_Buffer_Overflow__CWE129_large_04_good()217{218 goodB2G1();219 goodB2G2();220 goodG2B1();221 goodG2B2();222}223224#endif /* OMITGOOD */225226/* Below is the main(). It is only used when building this testcase on227 its own for testing or for building a binary to use in testing binary228 analysis tools. It is not used when compiling all the testcases as one229 application, which is how source code analysis tools are tested. */230231#ifdef INCLUDEMAIN232233int main(int argc, char * argv[])234{235 /* seed randomness */236 srand( (unsigned)time(NULL) );237#ifndef OMITGOOD238 printLine("Calling good()...");239 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_04_good();240 printLine("Finished good()");241#endif /* OMITGOOD */242#ifndef OMITBAD243 printLine("Calling bad()...");244 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_04_bad();245 printLine("Finished bad()");246#endif /* OMITBAD */247 return 0;248}249250#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_18.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-18.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: swprintf12 * BadSink : Copy string to data using swprintf13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snwprintf23#else24#define SNPRINTF swprintf25#endif2627namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_1828{2930#ifndef OMITBAD3132void bad()33{✓ 34 wchar_t * data;✓ 35 data = NULL;✓ 36 goto source;✓ 37source:38 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 39 data = new wchar_t[50];✓ 40 data[0] = L'\0'; /* null terminate */41 {✓ 42 wchar_t source[100];✓ 43 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 44 source[100-1] = L'\0'; /* null terminate */45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 46 SNPRINTF(data, 100, L"%s", source);❗VULN✓ 47 printWLine(data);✓ 48 delete [] data;49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */57static void goodG2B()58{59 wchar_t * data;60 data = NULL;61 goto source;62source:63 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */64 data = new wchar_t[100];65 data[0] = L'\0'; /* null terminate */66 {67 wchar_t source[100];68 wmemset(source, L'C', 100-1); /* fill with L'C's */69 source[100-1] = L'\0'; /* null terminate */70 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */71 SNPRINTF(data, 100, L"%s", source);72 printWLine(data);73 delete [] data;74 }75}7677void good()78{79 goodG2B();80}8182#endif /* OMITGOOD */8384} /* close namespace */8586/* Below is the main(). It is only used when building this testcase on87 its own for testing or for building a binary to use in testing binary88 analysis tools. It is not used when compiling all the testcases as one89 application, which is how source code analysis tools are tested. */9091#ifdef INCLUDEMAIN9293using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_18; /* so that we can use good and bad easily */9495int main(int argc, char * argv[])96{97 /* seed randomness */98 srand( (unsigned)time(NULL) );99#ifndef OMITGOOD100 printLine("Calling good()...");101 good();102 printLine("Finished good()");103#endif /* OMITGOOD */104#ifndef OMITBAD105 printLine("Calling bad()...");106 bad();107 printLine("Finished bad()");108#endif /* OMITBAD */109 return 0;110}111112#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 19 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_wchar_t_loop_11.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-11.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__malloc_wchar_t_loop_11_bad()24{✓ 25 wchar_t * data;✓ 26 data = NULL;✓ 27 if(globalReturnsTrue())28 {29 {✓ 30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 31 if (dataBuffer == NULL) {exit(-1);}✓ 32 wmemset(dataBuffer, L'A', 100-1);✓ 33 dataBuffer[100-1] = L'\0';34 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 35 data = dataBuffer - 8;36 }37 }38 {✓ 39 size_t i;✓ 40 wchar_t dest[100];✓ 41 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 42 dest[100-1] = L'\0'; /* null terminate */43 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 44 for (i = 0; i < 100; i++)45 {✓ 46 dest[i] = data[i];❗VULN47 }48 /* Ensure null termination */✓ 49 dest[100-1] = L'\0';✓ 50 printWLine(dest);51 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location52 * returned by malloc() so can't safely call free() on it */53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */61static void goodG2B1()62{63 wchar_t * data;64 data = NULL;65 if(globalReturnsFalse())66 {67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */68 printLine("Benign, fixed string");69 }70 else71 {72 {73 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));74 if (dataBuffer == NULL) {exit(-1);}75 wmemset(dataBuffer, L'A', 100-1);76 dataBuffer[100-1] = L'\0';77 /* FIX: Set data pointer to the allocated memory buffer */78 data = dataBuffer;79 }80 }81 {82 size_t i;83 wchar_t dest[100];84 wmemset(dest, L'C', 100-1); /* fill with 'C's */85 dest[100-1] = L'\0'; /* null terminate */86 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */87 for (i = 0; i < 100; i++)88 {89 dest[i] = data[i];90 }91 /* Ensure null termination */92 dest[100-1] = L'\0';93 printWLine(dest);94 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location95 * returned by malloc() so can't safely call free() on it */96 }97}9899/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */100static void goodG2B2()101{102 wchar_t * data;103 data = NULL;104 if(globalReturnsTrue())105 {106 {107 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));108 if (dataBuffer == NULL) {exit(-1);}109 wmemset(dataBuffer, L'A', 100-1);110 dataBuffer[100-1] = L'\0';111 /* FIX: Set data pointer to the allocated memory buffer */112 data = dataBuffer;113 }114 }115 {116 size_t i;117 wchar_t dest[100];118 wmemset(dest, L'C', 100-1); /* fill with 'C's */119 dest[100-1] = L'\0'; /* null terminate */120 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */121 for (i = 0; i < 100; i++)122 {123 dest[i] = data[i];124 }125 /* Ensure null termination */126 dest[100-1] = L'\0';127 printWLine(dest);128 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location129 * returned by malloc() so can't safely call free() on it */130 }131}132133void CWE127_Buffer_Underread__malloc_wchar_t_loop_11_good()134{135 goodG2B1();136 goodG2B2();137}138139#endif /* OMITGOOD */140141/* Below is the main(). It is only used when building this testcase on142 * its own for testing or for building a binary to use in testing binary143 * analysis tools. It is not used when compiling all the testcases as one144 * application, which is how source code analysis tools are tested.145 */146147#ifdef INCLUDEMAIN148149int main(int argc, char * argv[])150{151 /* seed randomness */152 srand( (unsigned)time(NULL) );153#ifndef OMITGOOD154 printLine("Calling good()...");155 CWE127_Buffer_Underread__malloc_wchar_t_loop_11_good();156 printLine("Finished good()");157#endif /* OMITGOOD */158#ifndef OMITBAD159 printLine("Calling bad()...");160 CWE127_Buffer_Underread__malloc_wchar_t_loop_11_bad();161 printLine("Finished bad()");162#endif /* OMITBAD */163 return 0;164}165166#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 19 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__char_declare_memcpy_32.c3Label Definition File: CWE126_Buffer_Overread.stack.label.xml4Template File: sources-sink-32.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Set data pointer to a small buffer10 * GoodSource: Set data pointer to a large buffer11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE126_Buffer_Overread__char_declare_memcpy_32_bad()24{✓ 25 char * data;✓ 26 char * *dataPtr1 = &data;✓ 27 char * *dataPtr2 = &data;✓ 28 char dataBadBuffer[50];✓ 29 char dataGoodBuffer[100];✓ 30 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */✓ 31 dataBadBuffer[50-1] = '\0'; /* null terminate */✓ 32 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */✓ 33 dataGoodBuffer[100-1] = '\0'; /* null terminate */34 {✓ 35 char * data = *dataPtr1;36 /* FLAW: Set data pointer to a small buffer */✓ 37 data = dataBadBuffer;✓ 38 *dataPtr1 = data;39 }40 {✓ 41 char * data = *dataPtr2;42 {✓ 43 char dest[100];✓ 44 memset(dest, 'C', 100-1);✓ 45 dest[100-1] = '\0'; /* null terminate */46 /* POTENTIAL FLAW: using memcpy with the length of the dest where data47 * could be smaller than dest causing buffer overread */✓ 48 memcpy(dest, data, strlen(dest)*sizeof(char));❗VULN✓ 49 dest[100-1] = '\0';✓ 50 printLine(dest);51 }52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* goodG2B() uses the GoodSource with the BadSink */60static void goodG2B()61{62 char * data;63 char * *dataPtr1 = &data;64 char * *dataPtr2 = &data;65 char dataBadBuffer[50];66 char dataGoodBuffer[100];67 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */68 dataBadBuffer[50-1] = '\0'; /* null terminate */69 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */70 dataGoodBuffer[100-1] = '\0'; /* null terminate */71 {72 char * data = *dataPtr1;73 /* FIX: Set data pointer to a large buffer */74 data = dataGoodBuffer;75 *dataPtr1 = data;76 }77 {78 char * data = *dataPtr2;79 {80 char dest[100];81 memset(dest, 'C', 100-1);82 dest[100-1] = '\0'; /* null terminate */83 /* POTENTIAL FLAW: using memcpy with the length of the dest where data84 * could be smaller than dest causing buffer overread */85 memcpy(dest, data, strlen(dest)*sizeof(char));86 dest[100-1] = '\0';87 printLine(dest);88 }89 }90}9192void CWE126_Buffer_Overread__char_declare_memcpy_32_good()93{94 goodG2B();95}9697#endif /* OMITGOOD */9899/* Below is the main(). It is only used when building this testcase on100 * its own for testing or for building a binary to use in testing binary101 * analysis tools. It is not used when compiling all the testcases as one102 * application, which is how source code analysis tools are tested.103 */104#ifdef INCLUDEMAIN105106int main(int argc, char * argv[])107{108 /* seed randomness */109 srand( (unsigned)time(NULL) );110#ifndef OMITGOOD111 printLine("Calling good()...");112 CWE126_Buffer_Overread__char_declare_memcpy_32_good();113 printLine("Finished good()");114#endif /* OMITGOOD */115#ifndef OMITBAD116 printLine("Calling bad()...");117 CWE126_Buffer_Overread__char_declare_memcpy_32_bad();118 printLine("Finished bad()");119#endif /* OMITBAD */120 return 0;121}122123#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_connect_socket_21.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml4Template File: sources-sinks-21.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: connect_socket Read data using a connect socket (client side)10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.15 *16 * */1718#include "std_testcase.h"1920#ifdef _WIN3221#include <winsock2.h>22#include <windows.h>23#include <direct.h>24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */25#define CLOSE_SOCKET closesocket26#else /* NOT _WIN32 */27#include <sys/types.h>28#include <sys/socket.h>29#include <netinet/in.h>30#include <arpa/inet.h>31#include <unistd.h>32#define INVALID_SOCKET -133#define SOCKET_ERROR -134#define CLOSE_SOCKET close35#define SOCKET int36#endif3738#define TCP_PORT 2701539#define IP_ADDRESS "127.0.0.1"40#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)4142#ifndef OMITBAD4344/* The static variable below is used to drive control flow in the sink function */45static int badStatic = 0;46✓ 47static void badSink(int data)48{✓ 49 if(badStatic)50 {51 {✓ 52 int i;✓ 53 int buffer[10] = { 0 };54 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound55 * This code does check to see if the array index is negative */✓ 56 if (data >= 0)57 {✓ 58 buffer[data] = 1;❗VULN59 /* Print the array values */✓ 60 for(i = 0; i < 10; i++)61 {✓ 62 printIntLine(buffer[i]);63 }64 }65 else66 {✓ 67 printLine("ERROR: Array index is negative.");68 }69 }70 }71}7273void CWE121_Stack_Based_Buffer_Overflow__CWE129_connect_socket_21_bad()74{75 int data;76 /* Initialize data */77 data = -1;78 {79#ifdef _WIN3280 WSADATA wsaData;81 int wsaDataInit = 0;82#endif83 int recvResult;84 struct sockaddr_in service;85 SOCKET connectSocket = INVALID_SOCKET;86 char inputBuffer[CHAR_ARRAY_SIZE];87 do88 {89#ifdef _WIN3290 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)91 {92 break;93 }94 wsaDataInit = 1;95#endif96 /* POTENTIAL FLAW: Read data using a connect socket */97 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);98 if (connectSocket == INVALID_SOCKET)99 {100 break;101 }102 memset(&service, 0, sizeof(service));103 service.sin_family = AF_INET;104 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);105 service.sin_port = htons(TCP_PORT);106 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)107 {108 break;109 }110 /* Abort on error or the connection was closed, make sure to recv one111 * less char than is in the recv_buf in order to append a terminator */112 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);113 if (recvResult == SOCKET_ERROR || recvResult == 0)114 {115 break;116 }117 /* NUL-terminate the string */118 inputBuffer[recvResult] = '\0';119 /* Convert to int */120 data = atoi(inputBuffer);121 }122 while (0);123 if (connectSocket != INVALID_SOCKET)124 {125 CLOSE_SOCKET(connectSocket);126 }127#ifdef _WIN32128 if (wsaDataInit)129 {130 WSACleanup();131 }132#endif133 }134 badStatic = 1; /* true */135 badSink(data);136}137138#endif /* OMITBAD */139140#ifndef OMITGOOD141142/* The static variables below are used to drive control flow in the sink functions. */143static int goodB2G1Static = 0;144static int goodB2G2Static = 0;145static int goodG2BStatic = 0;146147/* goodB2G1() - use badsource and goodsink by setting the static variable to false instead of true */148static void goodB2G1Sink(int data)149{150 if(goodB2G1Static)151 {152 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */153 printLine("Benign, fixed string");154 }155 else156 {157 {158 int i;159 int buffer[10] = { 0 };160 /* FIX: Properly validate the array index and prevent a buffer overflow */161 if (data >= 0 && data < (10))162 {163 buffer[data] = 1;164 /* Print the array values */165 for(i = 0; i < 10; i++)166 {167 printIntLine(buffer[i]);168 }169 }170 else171 {172 printLine("ERROR: Array index is out-of-bounds");173 }174 }175 }176}177178static void goodB2G1()179{180 int data;181 /* Initialize data */182 data = -1;183 {184#ifdef _WIN32185 WSADATA wsaData;186 int wsaDataInit = 0;187#endif188 int recvResult;189 struct sockaddr_in service;190 SOCKET connectSocket = INVALID_SOCKET;191 char inputBuffer[CHAR_ARRAY_SIZE];192 do193 {194#ifdef _WIN32195 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)196 {197 break;198 }199 wsaDataInit = 1;200#endif201 /* POTENTIAL FLAW: Read data using a connect socket */202 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);203 if (connectSocket == INVALID_SOCKET)204 {205 break;206 }207 memset(&service, 0, sizeof(service));208 service.sin_family = AF_INET;209 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);210 service.sin_port = htons(TCP_PORT);211 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)212 {213 break;214 }215 /* Abort on error or the connection was closed, make sure to recv one216 * less char than is in the recv_buf in order to append a terminator */217 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);218 if (recvResult == SOCKET_ERROR || recvResult == 0)219 {220 break;221 }222 /* NUL-terminate the string */223 inputBuffer[recvResult] = '\0';224 /* Convert to int */225 data = atoi(inputBuffer);226 }227 while (0);228 if (connectSocket != INVALID_SOCKET)229 {230 CLOSE_SOCKET(connectSocket);231 }232#ifdef _WIN32233 if (wsaDataInit)234 {235 WSACleanup();236 }237#endif238 }239 goodB2G1Static = 0; /* false */240 goodB2G1Sink(data);241}242243/* goodB2G2() - use badsource and goodsink by reversing the blocks in the if in the sink function */244static void goodB2G2Sink(int data)245{246 if(goodB2G2Static)247 {248 {249 int i;250 int buffer[10] = { 0 };251 /* FIX: Properly validate the array index and prevent a buffer overflow */252 if (data >= 0 && data < (10))253 {254 buffer[data] = 1;255 /* Print the array values */256 for(i = 0; i < 10; i++)257 {258 printIntLine(buffer[i]);259 }260 }261 else262 {263 printLine("ERROR: Array index is out-of-bounds");264 }265 }266 }267}268269static void goodB2G2()270{271 int data;272 /* Initialize data */273 data = -1;274 {275#ifdef _WIN32276 WSADATA wsaData;277 int wsaDataInit = 0;278#endif279 int recvResult;280 struct sockaddr_in service;281 SOCKET connectSocket = INVALID_SOCKET;282 char inputBuffer[CHAR_ARRAY_SIZE];283 do284 {285#ifdef _WIN32286 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)287 {288 break;289 }290 wsaDataInit = 1;291#endif292 /* POTENTIAL FLAW: Read data using a connect socket */293 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);294 if (connectSocket == INVALID_SOCKET)295 {296 break;297 }298 memset(&service, 0, sizeof(service));299 service.sin_family = AF_INET;300 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);301 service.sin_port = htons(TCP_PORT);302 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)303 {304 break;305 }306 /* Abort on error or the connection was closed, make sure to recv one307 * less char than is in the recv_buf in order to append a terminator */308 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);309 if (recvResult == SOCKET_ERROR || recvResult == 0)310 {311 break;312 }313 /* NUL-terminate the string */314 inputBuffer[recvResult] = '\0';315 /* Convert to int */316 data = atoi(inputBuffer);317 }318 while (0);319 if (connectSocket != INVALID_SOCKET)320 {321 CLOSE_SOCKET(connectSocket);322 }323#ifdef _WIN32324 if (wsaDataInit)325 {326 WSACleanup();327 }328#endif329 }330 goodB2G2Static = 1; /* true */331 goodB2G2Sink(data);332}333334/* goodG2B() - use goodsource and badsink */335static void goodG2BSink(int data)336{337 if(goodG2BStatic)338 {339 {340 int i;341 int buffer[10] = { 0 };342 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound343 * This code does check to see if the array index is negative */344 if (data >= 0)345 {346 buffer[data] = 1;347 /* Print the array values */348 for(i = 0; i < 10; i++)349 {350 printIntLine(buffer[i]);351 }352 }353 else354 {355 printLine("ERROR: Array index is negative.");356 }357 }358 }359}360361static void goodG2B()362{363 int data;364 /* Initialize data */365 data = -1;366 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to367 * access an index of the array in the sink that is out-of-bounds */368 data = 7;369 goodG2BStatic = 1; /* true */370 goodG2BSink(data);371}372373void CWE121_Stack_Based_Buffer_Overflow__CWE129_connect_socket_21_good()374{375 goodB2G1();376 goodB2G2();377 goodG2B();378}379380#endif /* OMITGOOD */381382/* Below is the main(). It is only used when building this testcase on383 its own for testing or for building a binary to use in testing binary384 analysis tools. It is not used when compiling all the testcases as one385 application, which is how source code analysis tools are tested. */386387#ifdef INCLUDEMAIN388389int main(int argc, char * argv[])390{391 /* seed randomness */392 srand( (unsigned)time(NULL) );393#ifndef OMITGOOD394 printLine("Calling good()...");395 CWE121_Stack_Based_Buffer_Overflow__CWE129_connect_socket_21_good();396 printLine("Finished good()");397#endif /* OMITGOOD */398#ifndef OMITBAD399 printLine("Calling bad()...");400 CWE121_Stack_Based_Buffer_Overflow__CWE129_connect_socket_21_bad();401 printLine("Finished bad()");402#endif /* OMITBAD */403 return 0;404}405406#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_07.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: swprintf12 * BadSink : Copy data to string using swprintf13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snwprintf23#else24#define SNPRINTF swprintf25#endif2627/* The variable below is not declared "const", but is never assigned28 * any other value so a tool should be able to identify that reads of29 * this will always give its initialized value.30 */31static int staticFive = 5;3233#ifndef OMITBAD3435void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_07_bad()36{✓ 37 wchar_t * data;✓ 38 data = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 39 if (data == NULL) {exit(-1);}✓ 40 if(staticFive==5)41 {42 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 43 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 44 data[100-1] = L'\0'; /* null terminate */45 }46 {✓ 47 wchar_t dest[50] = L"";48 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 49 SNPRINTF(dest, wcslen(data), L"%s", data);❗VULN✓ 50 printWLine(data);✓ 51 free(data);52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */60static void goodG2B1()61{62 wchar_t * data;63 data = (wchar_t *)malloc(100*sizeof(wchar_t));64 if (data == NULL) {exit(-1);}65 if(staticFive!=5)66 {67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */68 printLine("Benign, fixed string");69 }70 else71 {72 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */73 wmemset(data, L'A', 50-1); /* fill with L'A's */74 data[50-1] = L'\0'; /* null terminate */75 }76 {77 wchar_t dest[50] = L"";78 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */79 SNPRINTF(dest, wcslen(data), L"%s", data);80 printWLine(data);81 free(data);82 }83}8485/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */86static void goodG2B2()87{88 wchar_t * data;89 data = (wchar_t *)malloc(100*sizeof(wchar_t));90 if (data == NULL) {exit(-1);}91 if(staticFive==5)92 {93 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */94 wmemset(data, L'A', 50-1); /* fill with L'A's */95 data[50-1] = L'\0'; /* null terminate */96 }97 {98 wchar_t dest[50] = L"";99 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */100 SNPRINTF(dest, wcslen(data), L"%s", data);101 printWLine(data);102 free(data);103 }104}105106void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_07_good()107{108 goodG2B1();109 goodG2B2();110}111112#endif /* OMITGOOD */113114/* Below is the main(). It is only used when building this testcase on115 * its own for testing or for building a binary to use in testing binary116 * analysis tools. It is not used when compiling all the testcases as one117 * application, which is how source code analysis tools are tested.118 */119120#ifdef INCLUDEMAIN121122int main(int argc, char * argv[])123{124 /* seed randomness */125 srand( (unsigned)time(NULL) );126#ifndef OMITGOOD127 printLine("Calling good()...");128 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_07_good();129 printLine("Finished good()");130#endif /* OMITGOOD */131#ifndef OMITBAD132 printLine("Calling bad()...");133 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_07_bad();134 printLine("Finished bad()");135#endif /* OMITBAD */136 return 0;137}138139#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_wchar_t_cpy_21.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-21.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: cpy12 * BadSink : Copy data to string using wcscpy13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223/* The static variable below is used to drive control flow in the source function */24static int badStatic = 0;2526static wchar_t * badSource(wchar_t * data)27{28 if(badStatic)29 {30 {31 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));32 if (dataBuffer == NULL) {exit(-1);}33 wmemset(dataBuffer, L'A', 100-1);34 dataBuffer[100-1] = L'\0';35 /* FLAW: Set data pointer to before the allocated memory buffer */36 data = dataBuffer - 8;37 }38 }39 return data;40}4142void CWE127_Buffer_Underread__malloc_wchar_t_cpy_21_bad()43{✓ 44 wchar_t * data;✓ 45 data = NULL;✓ 46 badStatic = 1; /* true */✓ 47 data = badSource(data);48 {✓ 49 wchar_t dest[100*2];✓ 50 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */✓ 51 dest[100*2-1] = L'\0'; /* null terminate */52 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 53 wcscpy(dest, data);❗VULN✓ 54 printWLine(dest);55 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location56 * returned by malloc() so can't safely call free() on it */57 }58}5960#endif /* OMITBAD */6162#ifndef OMITGOOD6364/* The static variables below are used to drive control flow in the source functions. */65static int goodG2B1Static = 0;66static int goodG2B2Static = 0;6768/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */69static wchar_t * goodG2B1Source(wchar_t * data)70{71 if(goodG2B1Static)72 {73 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */74 printLine("Benign, fixed string");75 }76 else77 {78 {79 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));80 if (dataBuffer == NULL) {exit(-1);}81 wmemset(dataBuffer, L'A', 100-1);82 dataBuffer[100-1] = L'\0';83 /* FIX: Set data pointer to the allocated memory buffer */84 data = dataBuffer;85 }86 }87 return data;88}8990static void goodG2B1()91{92 wchar_t * data;93 data = NULL;94 goodG2B1Static = 0; /* false */95 data = goodG2B1Source(data);96 {97 wchar_t dest[100*2];98 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */99 dest[100*2-1] = L'\0'; /* null terminate */100 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */101 wcscpy(dest, data);102 printWLine(dest);103 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location104 * returned by malloc() so can't safely call free() on it */105 }106}107108/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */109static wchar_t * goodG2B2Source(wchar_t * data)110{111 if(goodG2B2Static)112 {113 {114 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));115 if (dataBuffer == NULL) {exit(-1);}116 wmemset(dataBuffer, L'A', 100-1);117 dataBuffer[100-1] = L'\0';118 /* FIX: Set data pointer to the allocated memory buffer */119 data = dataBuffer;120 }121 }122 return data;123}124125static void goodG2B2()126{127 wchar_t * data;128 data = NULL;129 goodG2B2Static = 1; /* true */130 data = goodG2B2Source(data);131 {132 wchar_t dest[100*2];133 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */134 dest[100*2-1] = L'\0'; /* null terminate */135 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */136 wcscpy(dest, data);137 printWLine(dest);138 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location139 * returned by malloc() so can't safely call free() on it */140 }141}142143void CWE127_Buffer_Underread__malloc_wchar_t_cpy_21_good()144{145 goodG2B1();146 goodG2B2();147}148149#endif /* OMITGOOD */150151/* Below is the main(). It is only used when building this testcase on152 * its own for testing or for building a binary to use in testing binary153 * analysis tools. It is not used when compiling all the testcases as one154 * application, which is how source code analysis tools are tested.155 */156157#ifdef INCLUDEMAIN158159int main(int argc, char * argv[])160{161 /* seed randomness */162 srand( (unsigned)time(NULL) );163#ifndef OMITGOOD164 printLine("Calling good()...");165 CWE127_Buffer_Underread__malloc_wchar_t_cpy_21_good();166 printLine("Finished good()");167#endif /* OMITGOOD */168#ifndef OMITBAD169 printLine("Calling bad()...");170 CWE127_Buffer_Underread__malloc_wchar_t_cpy_21_bad();171 printLine("Finished bad()");172#endif /* OMITBAD */173 return 0;174}175176#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_13.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-13.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_13_bad()24{✓ 25 char * data;✓ 26 char dataBadBuffer[50];✓ 27 char dataGoodBuffer[100];✓ 28 if(GLOBAL_CONST_FIVE==5)29 {30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination31 * buffer in various memory copying functions using a "large" source buffer. */✓ 32 data = dataBadBuffer;✓ 33 data[0] = '\0'; /* null terminate */34 }35 {✓ 36 size_t i;✓ 37 char source[100];✓ 38 memset(source, 'C', 100-1); /* fill with 'C's */✓ 39 source[100-1] = '\0'; /* null terminate */40 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 41 for (i = 0; i < 100; i++)42 {✓ 43 data[i] = source[i];❗VULN44 }✓ 45 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 46 printLine(data);47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */55static void goodG2B1()56{57 char * data;58 char dataBadBuffer[50];59 char dataGoodBuffer[100];60 if(GLOBAL_CONST_FIVE!=5)61 {62 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */63 printLine("Benign, fixed string");64 }65 else66 {67 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */68 data = dataGoodBuffer;69 data[0] = '\0'; /* null terminate */70 }71 {72 size_t i;73 char source[100];74 memset(source, 'C', 100-1); /* fill with 'C's */75 source[100-1] = '\0'; /* null terminate */76 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */77 for (i = 0; i < 100; i++)78 {79 data[i] = source[i];80 }81 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */82 printLine(data);83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 char * data;90 char dataBadBuffer[50];91 char dataGoodBuffer[100];92 if(GLOBAL_CONST_FIVE==5)93 {94 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */95 data = dataGoodBuffer;96 data[0] = '\0'; /* null terminate */97 }98 {99 size_t i;100 char source[100];101 memset(source, 'C', 100-1); /* fill with 'C's */102 source[100-1] = '\0'; /* null terminate */103 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */104 for (i = 0; i < 100; i++)105 {106 data[i] = source[i];107 }108 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */109 printLine(data);110 }111}112113void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_13_good()114{115 goodG2B1();116 goodG2B2();117}118119#endif /* OMITGOOD */120121/* Below is the main(). It is only used when building this testcase on122 * its own for testing or for building a binary to use in testing binary123 * analysis tools. It is not used when compiling all the testcases as one124 * application, which is how source code analysis tools are tested.125 */126127#ifdef INCLUDEMAIN128129int main(int argc, char * argv[])130{131 /* seed randomness */132 srand( (unsigned)time(NULL) );133#ifndef OMITGOOD134 printLine("Calling good()...");135 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_13_good();136 printLine("Finished good()");137#endif /* OMITGOOD */138#ifndef OMITBAD139 printLine("Calling bad()...");140 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_13_bad();141 printLine("Finished bad()");142#endif /* OMITBAD */143 return 0;144}145146#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__new_char_memcpy_04.cpp3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml4Template File: sources-sink-04.tmpl.cpp5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are declared "const", so a tool should22 be able to identify that reads of these will always return their23 initialized values. */24static const int STATIC_CONST_TRUE = 1; /* true */25static const int STATIC_CONST_FALSE = 0; /* false */2627namespace CWE124_Buffer_Underwrite__new_char_memcpy_0428{2930#ifndef OMITBAD3132void bad()33{✓ 34 char * data;✓ 35 data = NULL;✓ 36 if(STATIC_CONST_TRUE)37 {38 {✓ 39 char * dataBuffer = new char[100];✓ 40 memset(dataBuffer, 'A', 100-1);✓ 41 dataBuffer[100-1] = '\0';42 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 43 data = dataBuffer - 8;44 }45 }46 {✓ 47 char source[100];✓ 48 memset(source, 'C', 100-1); /* fill with 'C's */✓ 49 source[100-1] = '\0'; /* null terminate */50 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 51 memcpy(data, source, 100*sizeof(char));❗VULN52 /* Ensure the destination buffer is null terminated */✓ 53 data[100-1] = '\0';✓ 54 printLine(data);55 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location56 * returned by new [] so can't safely call delete [] on it */57 }58}5960#endif /* OMITBAD */6162#ifndef OMITGOOD6364/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */65static void goodG2B1()66{67 char * data;68 data = NULL;69 if(STATIC_CONST_FALSE)70 {71 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */72 printLine("Benign, fixed string");73 }74 else75 {76 {77 char * dataBuffer = new char[100];78 memset(dataBuffer, 'A', 100-1);79 dataBuffer[100-1] = '\0';80 /* FIX: Set data pointer to the allocated memory buffer */81 data = dataBuffer;82 }83 }84 {85 char source[100];86 memset(source, 'C', 100-1); /* fill with 'C's */87 source[100-1] = '\0'; /* null terminate */88 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */89 memcpy(data, source, 100*sizeof(char));90 /* Ensure the destination buffer is null terminated */91 data[100-1] = '\0';92 printLine(data);93 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location94 * returned by new [] so can't safely call delete [] on it */95 }96}9798/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */99static void goodG2B2()100{101 char * data;102 data = NULL;103 if(STATIC_CONST_TRUE)104 {105 {106 char * dataBuffer = new char[100];107 memset(dataBuffer, 'A', 100-1);108 dataBuffer[100-1] = '\0';109 /* FIX: Set data pointer to the allocated memory buffer */110 data = dataBuffer;111 }112 }113 {114 char source[100];115 memset(source, 'C', 100-1); /* fill with 'C's */116 source[100-1] = '\0'; /* null terminate */117 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */118 memcpy(data, source, 100*sizeof(char));119 /* Ensure the destination buffer is null terminated */120 data[100-1] = '\0';121 printLine(data);122 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location123 * returned by new [] so can't safely call delete [] on it */124 }125}126127void good()128{129 goodG2B1();130 goodG2B2();131}132133#endif /* OMITGOOD */134135} /* close namespace */136137/* Below is the main(). It is only used when building this testcase on138 its own for testing or for building a binary to use in testing binary139 analysis tools. It is not used when compiling all the testcases as one140 application, which is how source code analysis tools are tested. */141142#ifdef INCLUDEMAIN143144using namespace CWE124_Buffer_Underwrite__new_char_memcpy_04; /* so that we can use good and bad easily */145146int main(int argc, char * argv[])147{148 /* seed randomness */149 srand( (unsigned)time(NULL) );150#ifndef OMITGOOD151 printLine("Calling good()...");152 good();153 printLine("Finished good()");154#endif /* OMITGOOD */155#ifndef OMITBAD156 printLine("Calling bad()...");157 bad();158 printLine("Finished bad()");159#endif /* OMITBAD */160 return 0;161}162163#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_21.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-21.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_2122{2324#ifndef OMITBAD2526/* The static variable below is used to drive control flow in the source function */27static int badStatic = 0;2829static char * badSource(char * data)30{31 if(badStatic)32 {33 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */34 data = new char[50];35 data[0] = '\0'; /* null terminate */36 }37 return data;38}3940void bad()41{✓ 42 char * data;✓ 43 data = NULL;✓ 44 badStatic = 1; /* true */✓ 45 data = badSource(data);46 {✓ 47 char source[100];✓ 48 memset(source, 'C', 100-1); /* fill with 'C's */✓ 49 source[100-1] = '\0'; /* null terminate */50 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 51 memcpy(data, source, 100*sizeof(char));❗VULN✓ 52 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 53 printLine(data);✓ 54 delete [] data;55 }✓ 56 ;57}5859#endif /* OMITBAD */6061#ifndef OMITGOOD6263/* The static variables below are used to drive control flow in the source functions. */64static int goodG2B1Static = 0;65static int goodG2B2Static = 0;6667/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */68static char * goodG2B1Source(char * data)69{70 if(goodG2B1Static)71 {72 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */73 printLine("Benign, fixed string");74 }75 else76 {77 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */78 data = new char[100];79 data[0] = '\0'; /* null terminate */80 }81 return data;82}8384static void goodG2B1()85{86 char * data;87 data = NULL;88 goodG2B1Static = 0; /* false */89 data = goodG2B1Source(data);90 {91 char source[100];92 memset(source, 'C', 100-1); /* fill with 'C's */93 source[100-1] = '\0'; /* null terminate */94 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */95 memcpy(data, source, 100*sizeof(char));96 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */97 printLine(data);98 delete [] data;99 }100 ;101}102103/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */104static char * goodG2B2Source(char * data)105{106 if(goodG2B2Static)107 {108 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */109 data = new char[100];110 data[0] = '\0'; /* null terminate */111 }112 return data;113}114115static void goodG2B2()116{117 char * data;118 data = NULL;119 goodG2B2Static = 1; /* true */120 data = goodG2B2Source(data);121 {122 char source[100];123 memset(source, 'C', 100-1); /* fill with 'C's */124 source[100-1] = '\0'; /* null terminate */125 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */126 memcpy(data, source, 100*sizeof(char));127 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */128 printLine(data);129 delete [] data;130 }131 ;132}133134void good()135{136 goodG2B1();137 goodG2B2();138}139140#endif /* OMITGOOD */141142} /* close namespace */143144/* Below is the main(). It is only used when building this testcase on145 its own for testing or for building a binary to use in testing binary146 analysis tools. It is not used when compiling all the testcases as one147 application, which is how source code analysis tools are tested. */148149#ifdef INCLUDEMAIN150151using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_21; /* so that we can use good and bad easily */152153int main(int argc, char * argv[])154{155 /* seed randomness */156 srand( (unsigned)time(NULL) );157#ifndef OMITGOOD158 printLine("Calling good()...");159 good();160 printLine("Finished good()");161#endif /* OMITGOOD */162#ifndef OMITBAD163 printLine("Calling bad()...");164 bad();165 printLine("Finished bad()");166#endif /* OMITBAD */167 return 0;168}169170#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__new_char_memcpy_21.cpp3Label Definition File: CWE127_Buffer_Underread__new.label.xml4Template File: sources-sink-21.tmpl.cpp5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE127_Buffer_Underread__new_char_memcpy_2122{2324#ifndef OMITBAD2526/* The static variable below is used to drive control flow in the source function */27static int badStatic = 0;2829static char * badSource(char * data)30{31 if(badStatic)32 {33 {34 char * dataBuffer = new char[100];35 memset(dataBuffer, 'A', 100-1);36 dataBuffer[100-1] = '\0';37 /* FLAW: Set data pointer to before the allocated memory buffer */38 data = dataBuffer - 8;39 }40 }41 return data;42}4344void bad()45{✓ 46 char * data;✓ 47 data = NULL;✓ 48 badStatic = 1; /* true */✓ 49 data = badSource(data);50 {✓ 51 char dest[100];✓ 52 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 53 dest[100-1] = '\0'; /* null terminate */54 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 55 memcpy(dest, data, 100*sizeof(char));❗VULN56 /* Ensure null termination */✓ 57 dest[100-1] = '\0';✓ 58 printLine(dest);59 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location60 * returned by new [] so can't safely call delete [] on it */61 }✓ 62 ;63}6465#endif /* OMITBAD */6667#ifndef OMITGOOD6869/* The static variables below are used to drive control flow in the source functions. */70static int goodG2B1Static = 0;71static int goodG2B2Static = 0;7273/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */74static char * goodG2B1Source(char * data)75{76 if(goodG2B1Static)77 {78 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */79 printLine("Benign, fixed string");80 }81 else82 {83 {84 char * dataBuffer = new char[100];85 memset(dataBuffer, 'A', 100-1);86 dataBuffer[100-1] = '\0';87 /* FIX: Set data pointer to the allocated memory buffer */88 data = dataBuffer;89 }90 }91 return data;92}9394static void goodG2B1()95{96 char * data;97 data = NULL;98 goodG2B1Static = 0; /* false */99 data = goodG2B1Source(data);100 {101 char dest[100];102 memset(dest, 'C', 100-1); /* fill with 'C's */103 dest[100-1] = '\0'; /* null terminate */104 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */105 memcpy(dest, data, 100*sizeof(char));106 /* Ensure null termination */107 dest[100-1] = '\0';108 printLine(dest);109 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location110 * returned by new [] so can't safely call delete [] on it */111 }112 ;113}114115/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */116static char * goodG2B2Source(char * data)117{118 if(goodG2B2Static)119 {120 {121 char * dataBuffer = new char[100];122 memset(dataBuffer, 'A', 100-1);123 dataBuffer[100-1] = '\0';124 /* FIX: Set data pointer to the allocated memory buffer */125 data = dataBuffer;126 }127 }128 return data;129}130131static void goodG2B2()132{133 char * data;134 data = NULL;135 goodG2B2Static = 1; /* true */136 data = goodG2B2Source(data);137 {138 char dest[100];139 memset(dest, 'C', 100-1); /* fill with 'C's */140 dest[100-1] = '\0'; /* null terminate */141 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */142 memcpy(dest, data, 100*sizeof(char));143 /* Ensure null termination */144 dest[100-1] = '\0';145 printLine(dest);146 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location147 * returned by new [] so can't safely call delete [] on it */148 }149 ;150}151152void good()153{154 goodG2B1();155 goodG2B2();156}157158#endif /* OMITGOOD */159160} /* close namespace */161162/* Below is the main(). It is only used when building this testcase on163 its own for testing or for building a binary to use in testing binary164 analysis tools. It is not used when compiling all the testcases as one165 application, which is how source code analysis tools are tested. */166167#ifdef INCLUDEMAIN168169using namespace CWE127_Buffer_Underread__new_char_memcpy_21; /* so that we can use good and bad easily */170171int main(int argc, char * argv[])172{173 /* seed randomness */174 srand( (unsigned)time(NULL) );175#ifndef OMITGOOD176 printLine("Calling good()...");177 good();178 printLine("Finished good()");179#endif /* OMITGOOD */180#ifndef OMITBAD181 printLine("Calling bad()...");182 bad();183 printLine("Finished bad()");184#endif /* OMITBAD */185 return 0;186}187188#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_memmove_07.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Point data to a buffer that does not have space for a NULL terminator10 * GoodSource: Point data to a buffer that includes space for a NULL terminator11 * Sink: memmove12 * BadSink : Copy string to data using memmove()13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING L"AAAAAAAAAA"2526/* The variable below is not declared "const", but is never assigned27 * any other value so a tool should be able to identify that reads of28 * this will always give its initialized value.29 */30static int staticFive = 5;3132#ifndef OMITBAD3334void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_memmove_07_bad()35{✓ 36 wchar_t * data;✓ 37 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));✓ 38 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));✓ 39 if(staticFive==5)40 {41 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing42 * string copies in the sinks */✓ 43 data = dataBadBuffer;✓ 44 data[0] = L'\0'; /* null terminate */45 }46 {✓ 47 wchar_t source[10+1] = SRC_STRING;48 /* Copy length + 1 to include NUL terminator from source */49 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 50 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));❗VULN✓ 51 printWLine(data);52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */60static void goodG2B1()61{62 wchar_t * data;63 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));64 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));65 if(staticFive!=5)66 {67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */68 printLine("Benign, fixed string");69 }70 else71 {72 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing73 * string copies in the sinks */74 data = dataGoodBuffer;75 data[0] = L'\0'; /* null terminate */76 }77 {78 wchar_t source[10+1] = SRC_STRING;79 /* Copy length + 1 to include NUL terminator from source */80 /* POTENTIAL FLAW: data may not have enough space to hold source */81 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));82 printWLine(data);83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 wchar_t * data;90 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));91 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));92 if(staticFive==5)93 {94 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing95 * string copies in the sinks */96 data = dataGoodBuffer;97 data[0] = L'\0'; /* null terminate */98 }99 {100 wchar_t source[10+1] = SRC_STRING;101 /* Copy length + 1 to include NUL terminator from source */102 /* POTENTIAL FLAW: data may not have enough space to hold source */103 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));104 printWLine(data);105 }106}107108void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_memmove_07_good()109{110 goodG2B1();111 goodG2B2();112}113114#endif /* OMITGOOD */115116/* Below is the main(). It is only used when building this testcase on117 * its own for testing or for building a binary to use in testing binary118 * analysis tools. It is not used when compiling all the testcases as one119 * application, which is how source code analysis tools are tested.120 */121122#ifdef INCLUDEMAIN123124int main(int argc, char * argv[])125{126 /* seed randomness */127 srand( (unsigned)time(NULL) );128#ifndef OMITGOOD129 printLine("Calling good()...");130 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_memmove_07_good();131 printLine("Finished good()");132#endif /* OMITGOOD */133#ifndef OMITBAD134 printLine("Calling bad()...");135 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_memmove_07_bad();136 printLine("Finished bad()");137#endif /* OMITBAD */138 return 0;139}140141#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__malloc_char_cpy_16.c3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml4Template File: sources-sink-16.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: cpy12 * BadSink : Copy string to data using strcpy13 * Flow Variant: 16 Control flow: while(1)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__malloc_char_cpy_16_bad()24{✓ 25 char * data;✓ 26 data = NULL;✓ 27 while(1)28 {29 {✓ 30 char * dataBuffer = (char *)malloc(100*sizeof(char));✓ 31 if (dataBuffer == NULL) {exit(-1);}✓ 32 memset(dataBuffer, 'A', 100-1);✓ 33 dataBuffer[100-1] = '\0';34 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 35 data = dataBuffer - 8;36 }✓ 37 break;38 }39 {✓ 40 char source[100];✓ 41 memset(source, 'C', 100-1); /* fill with 'C's */✓ 42 source[100-1] = '\0'; /* null terminate */43 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 44 strcpy(data, source);❗VULN✓ 45 printLine(data);46 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location47 * returned by malloc() so can't safely call free() on it */48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */56static void goodG2B()57{58 char * data;59 data = NULL;60 while(1)61 {62 {63 char * dataBuffer = (char *)malloc(100*sizeof(char));64 if (dataBuffer == NULL) {exit(-1);}65 memset(dataBuffer, 'A', 100-1);66 dataBuffer[100-1] = '\0';67 /* FIX: Set data pointer to the allocated memory buffer */68 data = dataBuffer;69 }70 break;71 }72 {73 char source[100];74 memset(source, 'C', 100-1); /* fill with 'C's */75 source[100-1] = '\0'; /* null terminate */76 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */77 strcpy(data, source);78 printLine(data);79 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location80 * returned by malloc() so can't safely call free() on it */81 }82}8384void CWE124_Buffer_Underwrite__malloc_char_cpy_16_good()85{86 goodG2B();87}8889#endif /* OMITGOOD */9091/* Below is the main(). It is only used when building this testcase on92 * its own for testing or for building a binary to use in testing binary93 * analysis tools. It is not used when compiling all the testcases as one94 * application, which is how source code analysis tools are tested.95 */9697#ifdef INCLUDEMAIN9899int main(int argc, char * argv[])100{101 /* seed randomness */102 srand( (unsigned)time(NULL) );103#ifndef OMITGOOD104 printLine("Calling good()...");105 CWE124_Buffer_Underwrite__malloc_char_cpy_16_good();106 printLine("Finished good()");107#endif /* OMITGOOD */108#ifndef OMITBAD109 printLine("Calling bad()...");110 CWE124_Buffer_Underwrite__malloc_char_cpy_16_bad();111 printLine("Finished bad()");112#endif /* OMITBAD */113 return 0;114}115116#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_13.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-13.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: swprintf12 * BadSink : Copy string to data using swprintf13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snwprintf23#else24#define SNPRINTF swprintf25#endif2627#ifndef OMITBAD2829void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_13_bad()30{✓ 31 wchar_t * data;✓ 32 wchar_t dataBadBuffer[50];✓ 33 wchar_t dataGoodBuffer[100];✓ 34 if(GLOBAL_CONST_FIVE==5)35 {36 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination37 * buffer in various memory copying functions using a "large" source buffer. */✓ 38 data = dataBadBuffer;✓ 39 data[0] = L'\0'; /* null terminate */40 }41 {✓ 42 wchar_t source[100];✓ 43 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 44 source[100-1] = L'\0'; /* null terminate */45 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 46 SNPRINTF(data, 100, L"%s", source);❗VULN✓ 47 printWLine(data);48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */56static void goodG2B1()57{58 wchar_t * data;59 wchar_t dataBadBuffer[50];60 wchar_t dataGoodBuffer[100];61 if(GLOBAL_CONST_FIVE!=5)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */69 data = dataGoodBuffer;70 data[0] = L'\0'; /* null terminate */71 }72 {73 wchar_t source[100];74 wmemset(source, L'C', 100-1); /* fill with L'C's */75 source[100-1] = L'\0'; /* null terminate */76 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */77 SNPRINTF(data, 100, L"%s", source);78 printWLine(data);79 }80}8182/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */83static void goodG2B2()84{85 wchar_t * data;86 wchar_t dataBadBuffer[50];87 wchar_t dataGoodBuffer[100];88 if(GLOBAL_CONST_FIVE==5)89 {90 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */91 data = dataGoodBuffer;92 data[0] = L'\0'; /* null terminate */93 }94 {95 wchar_t source[100];96 wmemset(source, L'C', 100-1); /* fill with L'C's */97 source[100-1] = L'\0'; /* null terminate */98 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */99 SNPRINTF(data, 100, L"%s", source);100 printWLine(data);101 }102}103104void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_13_good()105{106 goodG2B1();107 goodG2B2();108}109110#endif /* OMITGOOD */111112/* Below is the main(). It is only used when building this testcase on113 * its own for testing or for building a binary to use in testing binary114 * analysis tools. It is not used when compiling all the testcases as one115 * application, which is how source code analysis tools are tested.116 */117118#ifdef INCLUDEMAIN119120int main(int argc, char * argv[])121{122 /* seed randomness */123 srand( (unsigned)time(NULL) );124#ifndef OMITGOOD125 printLine("Calling good()...");126 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_13_good();127 printLine("Finished good()");128#endif /* OMITGOOD */129#ifndef OMITBAD130 printLine("Calling bad()...");131 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_13_bad();132 printLine("Finished bad()");133#endif /* OMITBAD */134 return 0;135}136137#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_06.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-06.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is declared "const", so a tool should be able22 * to identify that reads of this will always give its initialized value. */23static const int STATIC_CONST_FIVE = 5;2425#ifndef OMITBAD2627void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_06_bad()28{✓ 29 wchar_t * data;✓ 30 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 31 data = dataBuffer;✓ 32 if(STATIC_CONST_FIVE==5)33 {34 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 35 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 36 data[100-1] = L'\0'; /* null terminate */37 }38 {✓ 39 wchar_t dest[50] = L"";40 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 41 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN✓ 42 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 43 printWLine(data);44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */52static void goodG2B1()53{54 wchar_t * data;55 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));56 data = dataBuffer;57 if(STATIC_CONST_FIVE!=5)58 {59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */60 printLine("Benign, fixed string");61 }62 else63 {64 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */65 wmemset(data, L'A', 50-1); /* fill with L'A's */66 data[50-1] = L'\0'; /* null terminate */67 }68 {69 wchar_t dest[50] = L"";70 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */71 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));72 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */73 printWLine(data);74 }75}7677/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */78static void goodG2B2()79{80 wchar_t * data;81 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));82 data = dataBuffer;83 if(STATIC_CONST_FIVE==5)84 {85 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */86 wmemset(data, L'A', 50-1); /* fill with L'A's */87 data[50-1] = L'\0'; /* null terminate */88 }89 {90 wchar_t dest[50] = L"";91 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */92 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));93 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */94 printWLine(data);95 }96}9798void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_06_good()99{100 goodG2B1();101 goodG2B2();102}103104#endif /* OMITGOOD */105106/* Below is the main(). It is only used when building this testcase on107 * its own for testing or for building a binary to use in testing binary108 * analysis tools. It is not used when compiling all the testcases as one109 * application, which is how source code analysis tools are tested.110 */111112#ifdef INCLUDEMAIN113114int main(int argc, char * argv[])115{116 /* seed randomness */117 srand( (unsigned)time(NULL) );118#ifndef OMITGOOD119 printLine("Calling good()...");120 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_06_good();121 printLine("Finished good()");122#endif /* OMITGOOD */123#ifndef OMITBAD124 printLine("Calling bad()...");125 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_06_bad();126 printLine("Finished bad()");127#endif /* OMITBAD */128 return 0;129}130131#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_17.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-17.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 17 Control flow: for loops14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_1722{2324#ifndef OMITBAD2526void bad()27{✓ 28 int i;✓ 29 char * data;✓ 30 data = NULL;✓ 31 for(i = 0; i < 1; i++)32 {33 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 34 data = new char[50];✓ 35 data[0] = '\0'; /* null terminate */36 }37 {✓ 38 char source[100];✓ 39 memset(source, 'C', 100-1); /* fill with 'C's */✓ 40 source[100-1] = '\0'; /* null terminate */41 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 42 memcpy(data, source, 100*sizeof(char));❗VULN✓ 43 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 44 printLine(data);✓ 45 delete [] data;46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodG2B() - use goodsource in the for statement */54static void goodG2B()55{56 int h;57 char * data;58 data = NULL;59 for(h = 0; h < 1; h++)60 {61 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */62 data = new char[100];63 data[0] = '\0'; /* null terminate */64 }65 {66 char source[100];67 memset(source, 'C', 100-1); /* fill with 'C's */68 source[100-1] = '\0'; /* null terminate */69 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */70 memcpy(data, source, 100*sizeof(char));71 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */72 printLine(data);73 delete [] data;74 }75}7677void good()78{79 goodG2B();80}8182#endif /* OMITGOOD */8384} /* close namespace */8586/* Below is the main(). It is only used when building this testcase on87 its own for testing or for building a binary to use in testing binary88 analysis tools. It is not used when compiling all the testcases as one89 application, which is how source code analysis tools are tested. */9091#ifdef INCLUDEMAIN9293using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_17; /* so that we can use good and bad easily */9495int main(int argc, char * argv[])96{97 /* seed randomness */98 srand( (unsigned)time(NULL) );99#ifndef OMITGOOD100 printLine("Calling good()...");101 good();102 printLine("Finished good()");103#endif /* OMITGOOD */104#ifndef OMITBAD105 printLine("Calling bad()...");106 bad();107 printLine("Finished bad()");108#endif /* OMITBAD */109 return 0;110}111112#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 8 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memmove_07.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow.label.xml4Template File: point-flaw-07.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * Sinks: type_overrun_memmove10 * GoodSink: Perform the memmove() and prevent overwriting part of the structure11 * BadSink : Overwrite part of the structure by incorrectly using the sizeof(struct) in memmove()12 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)13 *14 * */1516#include "std_testcase.h"1718#ifndef _WIN3219#include <wchar.h>20#endif2122/* SRC_STR is 32 char long, including the null terminator, for 64-bit architectures */23#define SRC_STR "0123456789abcdef0123456789abcde"2425typedef struct _charVoid26{27 char charFirst[16];28 void * voidSecond;29 void * voidThird;30} charVoid;3132/* The variable below is not declared "const", but is never assigned33 any other value so a tool should be able to identify that reads of34 this will always give its initialized value. */35static int staticFive = 5;3637#ifndef OMITBAD3839void CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memmove_07_bad()40{✓ 41 if(staticFive==5)42 {43 {✓ 44 charVoid structCharVoid;✓ 45 structCharVoid.voidSecond = (void *)SRC_STR;46 /* Print the initial block pointed to by structCharVoid.voidSecond */✓ 47 printLine((char *)structCharVoid.voidSecond);48 /* FLAW: Use the sizeof(structCharVoid) which will overwrite the pointer voidSecond */✓ 49 memmove(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid));❗VULN✓ 50 structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */✓ 51 printLine((char *)structCharVoid.charFirst);✓ 52 printLine((char *)structCharVoid.voidSecond);53 }54 }55}5657#endif /* OMITBAD */5859#ifndef OMITGOOD6061/* good1() uses if(staticFive!=5) instead of if(staticFive==5) */62static void good1()63{64 if(staticFive!=5)65 {66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */67 printLine("Benign, fixed string");68 }69 else70 {71 {72 charVoid structCharVoid;73 structCharVoid.voidSecond = (void *)SRC_STR;74 /* Print the initial block pointed to by structCharVoid.voidSecond */75 printLine((char *)structCharVoid.voidSecond);76 /* FIX: Use sizeof(structCharVoid.charFirst) to avoid overwriting the pointer voidSecond */77 memmove(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid.charFirst));78 structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */79 printLine((char *)structCharVoid.charFirst);80 printLine((char *)structCharVoid.voidSecond);81 }82 }83}8485/* good2() reverses the bodies in the if statement */86static void good2()87{88 if(staticFive==5)89 {90 {91 charVoid structCharVoid;92 structCharVoid.voidSecond = (void *)SRC_STR;93 /* Print the initial block pointed to by structCharVoid.voidSecond */94 printLine((char *)structCharVoid.voidSecond);95 /* FIX: Use sizeof(structCharVoid.charFirst) to avoid overwriting the pointer voidSecond */96 memmove(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid.charFirst));97 structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */98 printLine((char *)structCharVoid.charFirst);99 printLine((char *)structCharVoid.voidSecond);100 }101 }102}103104void CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memmove_07_good()105{106 good1();107 good2();108}109110#endif /* OMITGOOD */111112/* Below is the main(). It is only used when building this testcase on113 its own for testing or for building a binary to use in testing binary114 analysis tools. It is not used when compiling all the testcases as one115 application, which is how source code analysis tools are tested. */116117#ifdef INCLUDEMAIN118119int main(int argc, char * argv[])120{121 /* seed randomness */122 srand( (unsigned)time(NULL) );123#ifndef OMITGOOD124 printLine("Calling good()...");125 CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memmove_07_good();126 printLine("Finished good()");127#endif /* OMITGOOD */128#ifndef OMITBAD129 printLine("Calling bad()...");130 CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memmove_07_bad();131 printLine("Finished bad()");132#endif /* OMITBAD */133 return 0;134}135136#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__char_alloca_memcpy_01.c3Label Definition File: CWE126_Buffer_Overread.stack.label.xml4Template File: sources-sink-01.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Set data pointer to a small buffer10 * GoodSource: Set data pointer to a large buffer11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 01 Baseline14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE126_Buffer_Overread__char_alloca_memcpy_01_bad()24{✓ 25 char * data;✓ 26 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));✓ 27 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));✓ 28 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */✓ 29 dataBadBuffer[50-1] = '\0'; /* null terminate */✓ 30 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */✓ 31 dataGoodBuffer[100-1] = '\0'; /* null terminate */32 /* FLAW: Set data pointer to a small buffer */✓ 33 data = dataBadBuffer;34 {✓ 35 char dest[100];✓ 36 memset(dest, 'C', 100-1);✓ 37 dest[100-1] = '\0'; /* null terminate */38 /* POTENTIAL FLAW: using memcpy with the length of the dest where data39 * could be smaller than dest causing buffer overread */✓ 40 memcpy(dest, data, strlen(dest)*sizeof(char));❗VULN✓ 41 dest[100-1] = '\0';✓ 42 printLine(dest);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B uses the GoodSource with the BadSink */51static void goodG2B()52{53 char * data;54 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));55 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));56 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */57 dataBadBuffer[50-1] = '\0'; /* null terminate */58 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */59 dataGoodBuffer[100-1] = '\0'; /* null terminate */60 /* FIX: Set data pointer to a large buffer */61 data = dataGoodBuffer;62 {63 char dest[100];64 memset(dest, 'C', 100-1);65 dest[100-1] = '\0'; /* null terminate */66 /* POTENTIAL FLAW: using memcpy with the length of the dest where data67 * could be smaller than dest causing buffer overread */68 memcpy(dest, data, strlen(dest)*sizeof(char));69 dest[100-1] = '\0';70 printLine(dest);71 }72}7374void CWE126_Buffer_Overread__char_alloca_memcpy_01_good()75{76 goodG2B();77}7879#endif /* OMITGOOD */8081/* Below is the main(). It is only used when building this testcase on82 * its own for testing or for building a binary to use in testing binary83 * analysis tools. It is not used when compiling all the testcases as one84 * application, which is how source code analysis tools are tested.85 */8687#ifdef INCLUDEMAIN8889int main(int argc, char * argv[])90{91 /* seed randomness */92 srand( (unsigned)time(NULL) );93#ifndef OMITGOOD94 printLine("Calling good()...");95 CWE126_Buffer_Overread__char_alloca_memcpy_01_good();96 printLine("Finished good()");97#endif /* OMITGOOD */98#ifndef OMITBAD99 printLine("Calling bad()...");100 CWE126_Buffer_Overread__char_alloca_memcpy_01_bad();101 printLine("Finished bad()");102#endif /* OMITBAD */103 return 0;104}105106#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__char_declare_loop_14.c3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml4Template File: sources-sink-14.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__char_declare_loop_14_bad()24{✓ 25 char * data;✓ 26 char dataBuffer[100];✓ 27 memset(dataBuffer, 'A', 100-1);✓ 28 dataBuffer[100-1] = '\0';✓ 29 if(globalFive==5)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;33 }34 {✓ 35 size_t i;✓ 36 char source[100];✓ 37 memset(source, 'C', 100-1); /* fill with 'C's */✓ 38 source[100-1] = '\0'; /* null terminate */39 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 40 for (i = 0; i < 100; i++)41 {✓ 42 data[i] = source[i];❗VULN43 }44 /* Ensure the destination buffer is null terminated */✓ 45 data[100-1] = '\0';✓ 46 printLine(data);47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */55static void goodG2B1()56{57 char * data;58 char dataBuffer[100];59 memset(dataBuffer, 'A', 100-1);60 dataBuffer[100-1] = '\0';61 if(globalFive!=5)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 /* FIX: Set data pointer to the allocated memory buffer */69 data = dataBuffer;70 }71 {72 size_t i;73 char source[100];74 memset(source, 'C', 100-1); /* fill with 'C's */75 source[100-1] = '\0'; /* null terminate */76 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */77 for (i = 0; i < 100; i++)78 {79 data[i] = source[i];80 }81 /* Ensure the destination buffer is null terminated */82 data[100-1] = '\0';83 printLine(data);84 }85}8687/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */88static void goodG2B2()89{90 char * data;91 char dataBuffer[100];92 memset(dataBuffer, 'A', 100-1);93 dataBuffer[100-1] = '\0';94 if(globalFive==5)95 {96 /* FIX: Set data pointer to the allocated memory buffer */97 data = dataBuffer;98 }99 {100 size_t i;101 char source[100];102 memset(source, 'C', 100-1); /* fill with 'C's */103 source[100-1] = '\0'; /* null terminate */104 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */105 for (i = 0; i < 100; i++)106 {107 data[i] = source[i];108 }109 /* Ensure the destination buffer is null terminated */110 data[100-1] = '\0';111 printLine(data);112 }113}114115void CWE124_Buffer_Underwrite__char_declare_loop_14_good()116{117 goodG2B1();118 goodG2B2();119}120121#endif /* OMITGOOD */122123/* Below is the main(). It is only used when building this testcase on124 * its own for testing or for building a binary to use in testing binary125 * analysis tools. It is not used when compiling all the testcases as one126 * application, which is how source code analysis tools are tested.127 */128129#ifdef INCLUDEMAIN130131int main(int argc, char * argv[])132{133 /* seed randomness */134 srand( (unsigned)time(NULL) );135#ifndef OMITGOOD136 printLine("Calling good()...");137 CWE124_Buffer_Underwrite__char_declare_loop_14_good();138 printLine("Finished good()");139#endif /* OMITGOOD */140#ifndef OMITBAD141 printLine("Calling bad()...");142 CWE124_Buffer_Underwrite__char_declare_loop_14_bad();143 printLine("Finished bad()");144#endif /* OMITBAD */145 return 0;146}147148#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 24 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_15.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml4Template File: sources-sinks-15.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: fscanf Read data from the console using fscanf()10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 15 Control flow: switch(6) and switch(7)15 *16 * */1718#include "std_testcase.h"1920#ifndef OMITBAD2122void CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_15_bad()23{✓ 24 int data;25 /* Initialize data */✓ 26 data = -1;✓ 27 switch(6)28 {✓ 29 case 6:30 /* POTENTIAL FLAW: Read data from the console using fscanf() */✓ 31 fscanf(stdin, "%d", &data);✓ 32 break;✓ 33 default:34 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 35 printLine("Benign, fixed string");✓ 36 break;37 }✓ 38 switch(7)39 {✓ 40 case 7:41 {✓ 42 int i;✓ 43 int buffer[10] = { 0 };44 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound45 * This code does check to see if the array index is negative */✓ 46 if (data >= 0)47 {✓ 48 buffer[data] = 1;❗VULN49 /* Print the array values */✓ 50 for(i = 0; i < 10; i++)51 {✓ 52 printIntLine(buffer[i]);53 }54 }55 else56 {✓ 57 printLine("ERROR: Array index is negative.");58 }59 }✓ 60 break;✓ 61 default:62 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 63 printLine("Benign, fixed string");✓ 64 break;65 }66}6768#endif /* OMITBAD */6970#ifndef OMITGOOD7172/* goodB2G1() - use badsource and goodsink by changing the second switch to switch(8) */73static void goodB2G1()74{75 int data;76 /* Initialize data */77 data = -1;78 switch(6)79 {80 case 6:81 /* POTENTIAL FLAW: Read data from the console using fscanf() */82 fscanf(stdin, "%d", &data);83 break;84 default:85 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */86 printLine("Benign, fixed string");87 break;88 }89 switch(8)90 {91 case 7:92 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */93 printLine("Benign, fixed string");94 break;95 default:96 {97 int i;98 int buffer[10] = { 0 };99 /* FIX: Properly validate the array index and prevent a buffer overflow */100 if (data >= 0 && data < (10))101 {102 buffer[data] = 1;103 /* Print the array values */104 for(i = 0; i < 10; i++)105 {106 printIntLine(buffer[i]);107 }108 }109 else110 {111 printLine("ERROR: Array index is out-of-bounds");112 }113 }114 break;115 }116}117118/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch */119static void goodB2G2()120{121 int data;122 /* Initialize data */123 data = -1;124 switch(6)125 {126 case 6:127 /* POTENTIAL FLAW: Read data from the console using fscanf() */128 fscanf(stdin, "%d", &data);129 break;130 default:131 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */132 printLine("Benign, fixed string");133 break;134 }135 switch(7)136 {137 case 7:138 {139 int i;140 int buffer[10] = { 0 };141 /* FIX: Properly validate the array index and prevent a buffer overflow */142 if (data >= 0 && data < (10))143 {144 buffer[data] = 1;145 /* Print the array values */146 for(i = 0; i < 10; i++)147 {148 printIntLine(buffer[i]);149 }150 }151 else152 {153 printLine("ERROR: Array index is out-of-bounds");154 }155 }156 break;157 default:158 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */159 printLine("Benign, fixed string");160 break;161 }162}163164/* goodG2B1() - use goodsource and badsink by changing the first switch to switch(5) */165static void goodG2B1()166{167 int data;168 /* Initialize data */169 data = -1;170 switch(5)171 {172 case 6:173 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */174 printLine("Benign, fixed string");175 break;176 default:177 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to178 * access an index of the array in the sink that is out-of-bounds */179 data = 7;180 break;181 }182 switch(7)183 {184 case 7:185 {186 int i;187 int buffer[10] = { 0 };188 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound189 * This code does check to see if the array index is negative */190 if (data >= 0)191 {192 buffer[data] = 1;193 /* Print the array values */194 for(i = 0; i < 10; i++)195 {196 printIntLine(buffer[i]);197 }198 }199 else200 {201 printLine("ERROR: Array index is negative.");202 }203 }204 break;205 default:206 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */207 printLine("Benign, fixed string");208 break;209 }210}211212/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first switch */213static void goodG2B2()214{215 int data;216 /* Initialize data */217 data = -1;218 switch(6)219 {220 case 6:221 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to222 * access an index of the array in the sink that is out-of-bounds */223 data = 7;224 break;225 default:226 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */227 printLine("Benign, fixed string");228 break;229 }230 switch(7)231 {232 case 7:233 {234 int i;235 int buffer[10] = { 0 };236 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound237 * This code does check to see if the array index is negative */238 if (data >= 0)239 {240 buffer[data] = 1;241 /* Print the array values */242 for(i = 0; i < 10; i++)243 {244 printIntLine(buffer[i]);245 }246 }247 else248 {249 printLine("ERROR: Array index is negative.");250 }251 }252 break;253 default:254 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */255 printLine("Benign, fixed string");256 break;257 }258}259260void CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_15_good()261{262 goodB2G1();263 goodB2G2();264 goodG2B1();265 goodG2B2();266}267268#endif /* OMITGOOD */269270/* Below is the main(). It is only used when building this testcase on271 its own for testing or for building a binary to use in testing binary272 analysis tools. It is not used when compiling all the testcases as one273 application, which is how source code analysis tools are tested. */274275#ifdef INCLUDEMAIN276277int main(int argc, char * argv[])278{279 /* seed randomness */280 srand( (unsigned)time(NULL) );281#ifndef OMITGOOD282 printLine("Calling good()...");283 CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_15_good();284 printLine("Finished good()");285#endif /* OMITGOOD */286#ifndef OMITBAD287 printLine("Calling bad()...");288 CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_15_bad();289 printLine("Finished bad()");290#endif /* OMITBAD */291 return 0;292}293294#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__wchar_t_alloca_loop_01.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-01.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 01 Baseline14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__wchar_t_alloca_loop_01_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 27 wmemset(dataBuffer, L'A', 100-1);✓ 28 dataBuffer[100-1] = L'\0';29 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 30 data = dataBuffer - 8;31 {✓ 32 size_t i;✓ 33 wchar_t dest[100];✓ 34 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 35 dest[100-1] = L'\0'; /* null terminate */36 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 37 for (i = 0; i < 100; i++)38 {✓ 39 dest[i] = data[i];❗VULN40 }41 /* Ensure null termination */✓ 42 dest[100-1] = L'\0';✓ 43 printWLine(dest);44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B uses the GoodSource with the BadSink */52static void goodG2B()53{54 wchar_t * data;55 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));56 wmemset(dataBuffer, L'A', 100-1);57 dataBuffer[100-1] = L'\0';58 /* FIX: Set data pointer to the allocated memory buffer */59 data = dataBuffer;60 {61 size_t i;62 wchar_t dest[100];63 wmemset(dest, L'C', 100-1); /* fill with 'C's */64 dest[100-1] = L'\0'; /* null terminate */65 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */66 for (i = 0; i < 100; i++)67 {68 dest[i] = data[i];69 }70 /* Ensure null termination */71 dest[100-1] = L'\0';72 printWLine(dest);73 }74}7576void CWE127_Buffer_Underread__wchar_t_alloca_loop_01_good()77{78 goodG2B();79}8081#endif /* OMITGOOD */8283/* Below is the main(). It is only used when building this testcase on84 * its own for testing or for building a binary to use in testing binary85 * analysis tools. It is not used when compiling all the testcases as one86 * application, which is how source code analysis tools are tested.87 */8889#ifdef INCLUDEMAIN9091int main(int argc, char * argv[])92{93 /* seed randomness */94 srand( (unsigned)time(NULL) );95#ifndef OMITGOOD96 printLine("Calling good()...");97 CWE127_Buffer_Underread__wchar_t_alloca_loop_01_good();98 printLine("Finished good()");99#endif /* OMITGOOD */100#ifndef OMITBAD101 printLine("Calling bad()...");102 CWE127_Buffer_Underread__wchar_t_alloca_loop_01_bad();103 printLine("Finished bad()");104#endif /* OMITBAD */105 return 0;106}107108#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_33.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml4Template File: sources-sink-33.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sinks: ncpy12 * BadSink : Copy data to string using wcsncpy13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_3322{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 wchar_t * &dataRef = data;✓ 30 data = new wchar_t[100];31 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 32 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 33 data[100-1] = L'\0'; /* null terminate */34 {✓ 35 wchar_t * data = dataRef;36 {✓ 37 wchar_t dest[50] = L"";38 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 39 wcsncpy(dest, data, wcslen(data));❗VULN✓ 40 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 41 printWLine(data);✓ 42 delete [] data;43 }44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B() uses the GoodSource with the BadSink */52static void goodG2B()53{54 wchar_t * data;55 wchar_t * &dataRef = data;56 data = new wchar_t[100];57 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */58 wmemset(data, L'A', 50-1); /* fill with L'A's */59 data[50-1] = L'\0'; /* null terminate */60 {61 wchar_t * data = dataRef;62 {63 wchar_t dest[50] = L"";64 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */65 wcsncpy(dest, data, wcslen(data));66 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */67 printWLine(data);68 delete [] data;69 }70 }71}7273void good()74{75 goodG2B();76}7778#endif /* OMITGOOD */7980} /* close namespace */8182/* Below is the main(). It is only used when building this testcase on83 its own for testing or for building a binary to use in testing binary84 analysis tools. It is not used when compiling all the testcases as one85 application, which is how source code analysis tools are tested. */86#ifdef INCLUDEMAIN8788using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_33; /* so that we can use good and bad easily */8990int main(int argc, char * argv[])91{92 /* seed randomness */93 srand( (unsigned)time(NULL) );94#ifndef OMITGOOD95 printLine("Calling good()...");96 good();97 printLine("Finished good()");98#endif /* OMITGOOD */99#ifndef OMITBAD100 printLine("Calling bad()...");101 bad();102 printLine("Finished bad()");103#endif /* OMITBAD */104 return 0;105}106107#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 17 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_char_memcpy_34.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-34.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sinks: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021typedef union22{23 char * unionFirst;24 char * unionSecond;25} CWE127_Buffer_Underread__malloc_char_memcpy_34_unionType;2627#ifndef OMITBAD2829void CWE127_Buffer_Underread__malloc_char_memcpy_34_bad()30{✓ 31 char * data;✓ 32 CWE127_Buffer_Underread__malloc_char_memcpy_34_unionType myUnion;✓ 33 data = NULL;34 {✓ 35 char * dataBuffer = (char *)malloc(100*sizeof(char));✓ 36 if (dataBuffer == NULL) {exit(-1);}✓ 37 memset(dataBuffer, 'A', 100-1);✓ 38 dataBuffer[100-1] = '\0';39 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 40 data = dataBuffer - 8;41 }✓ 42 myUnion.unionFirst = data;43 {✓ 44 char * data = myUnion.unionSecond;45 {✓ 46 char dest[100];✓ 47 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 48 dest[100-1] = '\0'; /* null terminate */49 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 50 memcpy(dest, data, 100*sizeof(char));❗VULN51 /* Ensure null termination */✓ 52 dest[100-1] = '\0';✓ 53 printLine(dest);54 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location55 * returned by malloc() so can't safely call free() on it */56 }57 }58}5960#endif /* OMITBAD */6162#ifndef OMITGOOD6364/* goodG2B() uses the GoodSource with the BadSink */65static void goodG2B()66{67 char * data;68 CWE127_Buffer_Underread__malloc_char_memcpy_34_unionType myUnion;69 data = NULL;70 {71 char * dataBuffer = (char *)malloc(100*sizeof(char));72 if (dataBuffer == NULL) {exit(-1);}73 memset(dataBuffer, 'A', 100-1);74 dataBuffer[100-1] = '\0';75 /* FIX: Set data pointer to the allocated memory buffer */76 data = dataBuffer;77 }78 myUnion.unionFirst = data;79 {80 char * data = myUnion.unionSecond;81 {82 char dest[100];83 memset(dest, 'C', 100-1); /* fill with 'C's */84 dest[100-1] = '\0'; /* null terminate */85 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */86 memcpy(dest, data, 100*sizeof(char));87 /* Ensure null termination */88 dest[100-1] = '\0';89 printLine(dest);90 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location91 * returned by malloc() so can't safely call free() on it */92 }93 }94}9596void CWE127_Buffer_Underread__malloc_char_memcpy_34_good()97{98 goodG2B();99}100101#endif /* OMITGOOD */102103/* Below is the main(). It is only used when building this testcase on104 * its own for testing or for building a binary to use in testing binary105 * analysis tools. It is not used when compiling all the testcases as one106 * application, which is how source code analysis tools are tested.107 */108#ifdef INCLUDEMAIN109110int main(int argc, char * argv[])111{112 /* seed randomness */113 srand( (unsigned)time(NULL) );114#ifndef OMITGOOD115 printLine("Calling good()...");116 CWE127_Buffer_Underread__malloc_char_memcpy_34_good();117 printLine("Finished good()");118#endif /* OMITGOOD */119#ifndef OMITBAD120 printLine("Calling bad()...");121 CWE127_Buffer_Underread__malloc_char_memcpy_34_bad();122 printLine("Finished bad()");123#endif /* OMITBAD */124 return 0;125}126127#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 18 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_wchar_t_loop_01.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-01.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 01 Baseline14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__malloc_wchar_t_loop_01_bad()24{✓ 25 wchar_t * data;✓ 26 data = NULL;27 {✓ 28 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 29 if (dataBuffer == NULL) {exit(-1);}✓ 30 wmemset(dataBuffer, L'A', 100-1);✓ 31 dataBuffer[100-1] = L'\0';32 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 33 data = dataBuffer - 8;34 }35 {✓ 36 size_t i;✓ 37 wchar_t dest[100];✓ 38 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 39 dest[100-1] = L'\0'; /* null terminate */40 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 41 for (i = 0; i < 100; i++)42 {✓ 43 dest[i] = data[i];❗VULN44 }45 /* Ensure null termination */✓ 46 dest[100-1] = L'\0';✓ 47 printWLine(dest);48 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location49 * returned by malloc() so can't safely call free() on it */50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B uses the GoodSource with the BadSink */58static void goodG2B()59{60 wchar_t * data;61 data = NULL;62 {63 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));64 if (dataBuffer == NULL) {exit(-1);}65 wmemset(dataBuffer, L'A', 100-1);66 dataBuffer[100-1] = L'\0';67 /* FIX: Set data pointer to the allocated memory buffer */68 data = dataBuffer;69 }70 {71 size_t i;72 wchar_t dest[100];73 wmemset(dest, L'C', 100-1); /* fill with 'C's */74 dest[100-1] = L'\0'; /* null terminate */75 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */76 for (i = 0; i < 100; i++)77 {78 dest[i] = data[i];79 }80 /* Ensure null termination */81 dest[100-1] = L'\0';82 printWLine(dest);83 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location84 * returned by malloc() so can't safely call free() on it */85 }86}8788void CWE127_Buffer_Underread__malloc_wchar_t_loop_01_good()89{90 goodG2B();91}9293#endif /* OMITGOOD */9495/* Below is the main(). It is only used when building this testcase on96 * its own for testing or for building a binary to use in testing binary97 * analysis tools. It is not used when compiling all the testcases as one98 * application, which is how source code analysis tools are tested.99 */100101#ifdef INCLUDEMAIN102103int main(int argc, char * argv[])104{105 /* seed randomness */106 srand( (unsigned)time(NULL) );107#ifndef OMITGOOD108 printLine("Calling good()...");109 CWE127_Buffer_Underread__malloc_wchar_t_loop_01_good();110 printLine("Finished good()");111#endif /* OMITGOOD */112#ifndef OMITBAD113 printLine("Calling bad()...");114 CWE127_Buffer_Underread__malloc_wchar_t_loop_01_bad();115 printLine("Finished bad()");116#endif /* OMITBAD */117 return 0;118}119120#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_06.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-06.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: swprintf12 * BadSink : Copy string to data using swprintf13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snwprintf23#else24#define SNPRINTF swprintf25#endif2627/* The variable below is declared "const", so a tool should be able28 * to identify that reads of this will always give its initialized value. */29static const int STATIC_CONST_FIVE = 5;3031#ifndef OMITBAD3233void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_06_bad()34{✓ 35 wchar_t * data;✓ 36 wchar_t dataBadBuffer[50];✓ 37 wchar_t dataGoodBuffer[100];✓ 38 if(STATIC_CONST_FIVE==5)39 {40 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination41 * buffer in various memory copying functions using a "large" source buffer. */✓ 42 data = dataBadBuffer;✓ 43 data[0] = L'\0'; /* null terminate */44 }45 {✓ 46 wchar_t source[100];✓ 47 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 48 source[100-1] = L'\0'; /* null terminate */49 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 50 SNPRINTF(data, 100, L"%s", source);❗VULN✓ 51 printWLine(data);52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */60static void goodG2B1()61{62 wchar_t * data;63 wchar_t dataBadBuffer[50];64 wchar_t dataGoodBuffer[100];65 if(STATIC_CONST_FIVE!=5)66 {67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */68 printLine("Benign, fixed string");69 }70 else71 {72 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */73 data = dataGoodBuffer;74 data[0] = L'\0'; /* null terminate */75 }76 {77 wchar_t source[100];78 wmemset(source, L'C', 100-1); /* fill with L'C's */79 source[100-1] = L'\0'; /* null terminate */80 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */81 SNPRINTF(data, 100, L"%s", source);82 printWLine(data);83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 wchar_t * data;90 wchar_t dataBadBuffer[50];91 wchar_t dataGoodBuffer[100];92 if(STATIC_CONST_FIVE==5)93 {94 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */95 data = dataGoodBuffer;96 data[0] = L'\0'; /* null terminate */97 }98 {99 wchar_t source[100];100 wmemset(source, L'C', 100-1); /* fill with L'C's */101 source[100-1] = L'\0'; /* null terminate */102 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */103 SNPRINTF(data, 100, L"%s", source);104 printWLine(data);105 }106}107108void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_06_good()109{110 goodG2B1();111 goodG2B2();112}113114#endif /* OMITGOOD */115116/* Below is the main(). It is only used when building this testcase on117 * its own for testing or for building a binary to use in testing binary118 * analysis tools. It is not used when compiling all the testcases as one119 * application, which is how source code analysis tools are tested.120 */121122#ifdef INCLUDEMAIN123124int main(int argc, char * argv[])125{126 /* seed randomness */127 srand( (unsigned)time(NULL) );128#ifndef OMITGOOD129 printLine("Calling good()...");130 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_06_good();131 printLine("Finished good()");132#endif /* OMITGOOD */133#ifndef OMITBAD134 printLine("Calling bad()...");135 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_06_bad();136 printLine("Finished bad()");137#endif /* OMITBAD */138 return 0;139}140141#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_04.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow.label.xml4Template File: point-flaw-04.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * Sinks: type_overrun_memcpy10 * GoodSink: Perform the memcpy() and prevent overwriting part of the structure11 * BadSink : Overwrite part of the structure by incorrectly using the sizeof(struct) in memcpy()12 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)13 *14 * */1516#include "std_testcase.h"1718#ifndef _WIN3219#include <wchar.h>20#endif2122#define SRC_STR L"0123456789abcdef0123456789abcde"2324typedef struct _charVoid25{26 wchar_t charFirst[16];27 void * voidSecond;28 void * voidThird;29} charVoid;3031/* The two variables below are declared "const", so a tool should32 be able to identify that reads of these will always return their33 initialized values. */34static const int STATIC_CONST_TRUE = 1; /* true */35static const int STATIC_CONST_FALSE = 0; /* false */3637#ifndef OMITBAD3839void CWE122_Heap_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_04_bad()40{✓ 41 if(STATIC_CONST_TRUE)42 {43 {✓ 44 charVoid * structCharVoid = (charVoid *)malloc(sizeof(charVoid));✓ 45 if (structCharVoid == NULL) {exit(-1);}✓ 46 structCharVoid->voidSecond = (void *)SRC_STR;47 /* Print the initial block pointed to by structCharVoid->voidSecond */✓ 48 printWLine((wchar_t *)structCharVoid->voidSecond);49 /* FLAW: Use the sizeof(*structCharVoid) which will overwrite the pointer y */✓ 50 memcpy(structCharVoid->charFirst, SRC_STR, sizeof(*structCharVoid));❗VULN✓ 51 structCharVoid->charFirst[(sizeof(structCharVoid->charFirst)/sizeof(wchar_t))-1] = L'\0'; /* null terminate the string */✓ 52 printWLine((wchar_t *)structCharVoid->charFirst);✓ 53 printWLine((wchar_t *)structCharVoid->voidSecond);✓ 54 free(structCharVoid);55 }56 }57}5859#endif /* OMITBAD */6061#ifndef OMITGOOD6263/* good1() uses if(STATIC_CONST_FALSE) instead of if(STATIC_CONST_TRUE) */64static void good1()65{66 if(STATIC_CONST_FALSE)67 {68 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */69 printLine("Benign, fixed string");70 }71 else72 {73 {74 charVoid * structCharVoid = (charVoid *)malloc(sizeof(charVoid));75 if (structCharVoid == NULL) {exit(-1);}76 structCharVoid->voidSecond = (void *)SRC_STR;77 /* Print the initial block pointed to by structCharVoid->voidSecond */78 printWLine((wchar_t *)structCharVoid->voidSecond);79 /* FIX: Use the sizeof(structCharVoid->charFirst) to avoid overwriting the pointer y */80 memcpy(structCharVoid->charFirst, SRC_STR, sizeof(structCharVoid->charFirst));81 structCharVoid->charFirst[(sizeof(structCharVoid->charFirst)/sizeof(wchar_t))-1] = L'\0'; /* null terminate the string */82 printWLine((wchar_t *)structCharVoid->charFirst);83 printWLine((wchar_t *)structCharVoid->voidSecond);84 free(structCharVoid);85 }86 }87}8889/* good2() reverses the bodies in the if statement */90static void good2()91{92 if(STATIC_CONST_TRUE)93 {94 {95 charVoid * structCharVoid = (charVoid *)malloc(sizeof(charVoid));96 if (structCharVoid == NULL) {exit(-1);}97 structCharVoid->voidSecond = (void *)SRC_STR;98 /* Print the initial block pointed to by structCharVoid->voidSecond */99 printWLine((wchar_t *)structCharVoid->voidSecond);100 /* FIX: Use the sizeof(structCharVoid->charFirst) to avoid overwriting the pointer y */101 memcpy(structCharVoid->charFirst, SRC_STR, sizeof(structCharVoid->charFirst));102 structCharVoid->charFirst[(sizeof(structCharVoid->charFirst)/sizeof(wchar_t))-1] = L'\0'; /* null terminate the string */103 printWLine((wchar_t *)structCharVoid->charFirst);104 printWLine((wchar_t *)structCharVoid->voidSecond);105 free(structCharVoid);106 }107 }108}109110void CWE122_Heap_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_04_good()111{112 good1();113 good2();114}115116#endif /* OMITGOOD */117118/* Below is the main(). It is only used when building this testcase on119 its own for testing or for building a binary to use in testing binary120 analysis tools. It is not used when compiling all the testcases as one121 application, which is how source code analysis tools are tested. */122123#ifdef INCLUDEMAIN124125int main(int argc, char * argv[])126{127 /* seed randomness */128 srand( (unsigned)time(NULL) );129#ifndef OMITGOOD130 printLine("Calling good()...");131 CWE122_Heap_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_04_good();132 printLine("Finished good()");133#endif /* OMITGOOD */134#ifndef OMITBAD135 printLine("Calling bad()...");136 CWE122_Heap_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_04_bad();137 printLine("Finished bad()");138#endif /* OMITBAD */139 return 0;140}141142#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_snprintf_11.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml4Template File: sources-sink-11.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: snprintf12 * BadSink : Copy string to data using snprintf13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snprintf23#else24#define SNPRINTF snprintf25#endif2627namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_snprintf_1128{2930#ifndef OMITBAD3132void bad()33{✓ 34 char * data;✓ 35 data = NULL;✓ 36 if(globalReturnsTrue())37 {38 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 39 data = new char[50];✓ 40 data[0] = '\0'; /* null terminate */41 }42 {✓ 43 char source[100];✓ 44 memset(source, 'C', 100-1); /* fill with 'C's */✓ 45 source[100-1] = '\0'; /* null terminate */46 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 47 SNPRINTF(data, 100, "%s", source);❗VULN✓ 48 printLine(data);✓ 49 delete [] data;50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */58static void goodG2B1()59{60 char * data;61 data = NULL;62 if(globalReturnsFalse())63 {64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */65 printLine("Benign, fixed string");66 }67 else68 {69 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */70 data = new char[100];71 data[0] = '\0'; /* null terminate */72 }73 {74 char source[100];75 memset(source, 'C', 100-1); /* fill with 'C's */76 source[100-1] = '\0'; /* null terminate */77 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */78 SNPRINTF(data, 100, "%s", source);79 printLine(data);80 delete [] data;81 }82}8384/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */85static void goodG2B2()86{87 char * data;88 data = NULL;89 if(globalReturnsTrue())90 {91 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */92 data = new char[100];93 data[0] = '\0'; /* null terminate */94 }95 {96 char source[100];97 memset(source, 'C', 100-1); /* fill with 'C's */98 source[100-1] = '\0'; /* null terminate */99 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */100 SNPRINTF(data, 100, "%s", source);101 printLine(data);102 delete [] data;103 }104}105106void good()107{108 goodG2B1();109 goodG2B2();110}111112#endif /* OMITGOOD */113114} /* close namespace */115116/* Below is the main(). It is only used when building this testcase on117 its own for testing or for building a binary to use in testing binary118 analysis tools. It is not used when compiling all the testcases as one119 application, which is how source code analysis tools are tested. */120121#ifdef INCLUDEMAIN122123using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_snprintf_11; /* so that we can use good and bad easily */124125int main(int argc, char * argv[])126{127 /* seed randomness */128 srand( (unsigned)time(NULL) );129#ifndef OMITGOOD130 printLine("Calling good()...");131 good();132 printLine("Finished good()");133#endif /* OMITGOOD */134#ifndef OMITBAD135 printLine("Calling bad()...");136 bad();137 printLine("Finished bad()");138#endif /* OMITBAD */139 return 0;140}141142#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__wchar_t_alloca_cpy_09.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-09.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: cpy12 * BadSink : Copy data to string using wcscpy13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__wchar_t_alloca_cpy_09_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 27 wmemset(dataBuffer, L'A', 100-1);✓ 28 dataBuffer[100-1] = L'\0';✓ 29 if(GLOBAL_CONST_TRUE)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;33 }34 {✓ 35 wchar_t dest[100*2];✓ 36 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */✓ 37 dest[100*2-1] = L'\0'; /* null terminate */38 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 39 wcscpy(dest, data);❗VULN✓ 40 printWLine(dest);41 }42}4344#endif /* OMITBAD */4546#ifndef OMITGOOD4748/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */49static void goodG2B1()50{51 wchar_t * data;52 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));53 wmemset(dataBuffer, L'A', 100-1);54 dataBuffer[100-1] = L'\0';55 if(GLOBAL_CONST_FALSE)56 {57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */58 printLine("Benign, fixed string");59 }60 else61 {62 /* FIX: Set data pointer to the allocated memory buffer */63 data = dataBuffer;64 }65 {66 wchar_t dest[100*2];67 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */68 dest[100*2-1] = L'\0'; /* null terminate */69 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */70 wcscpy(dest, data);71 printWLine(dest);72 }73}7475/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */76static void goodG2B2()77{78 wchar_t * data;79 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));80 wmemset(dataBuffer, L'A', 100-1);81 dataBuffer[100-1] = L'\0';82 if(GLOBAL_CONST_TRUE)83 {84 /* FIX: Set data pointer to the allocated memory buffer */85 data = dataBuffer;86 }87 {88 wchar_t dest[100*2];89 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */90 dest[100*2-1] = L'\0'; /* null terminate */91 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */92 wcscpy(dest, data);93 printWLine(dest);94 }95}9697void CWE127_Buffer_Underread__wchar_t_alloca_cpy_09_good()98{99 goodG2B1();100 goodG2B2();101}102103#endif /* OMITGOOD */104105/* Below is the main(). It is only used when building this testcase on106 * its own for testing or for building a binary to use in testing binary107 * analysis tools. It is not used when compiling all the testcases as one108 * application, which is how source code analysis tools are tested.109 */110111#ifdef INCLUDEMAIN112113int main(int argc, char * argv[])114{115 /* seed randomness */116 srand( (unsigned)time(NULL) );117#ifndef OMITGOOD118 printLine("Calling good()...");119 CWE127_Buffer_Underread__wchar_t_alloca_cpy_09_good();120 printLine("Finished good()");121#endif /* OMITGOOD */122#ifndef OMITBAD123 printLine("Calling bad()...");124 CWE127_Buffer_Underread__wchar_t_alloca_cpy_09_bad();125 printLine("Finished bad()");126#endif /* OMITBAD */127 return 0;128}129130#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 8 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_21.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml4Template File: sources-sink-21.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory without using sizeof(int)10 * GoodSource: Allocate memory using sizeof(int)11 * Sink: memmove12 * BadSink : Copy array to data using memmove()13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021/* The static variable below is used to drive control flow in the source function */22static int badStatic = 0;2324static int * badSource(int * data)25{26 if(badStatic)27 {28 /* FLAW: Allocate memory without using sizeof(int) */29 data = (int *)malloc(10);30 if (data == NULL) {exit(-1);}31 }32 return data;33}3435void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_21_bad()36{✓ 37 int * data;✓ 38 data = NULL;✓ 39 badStatic = 1; /* true */✓ 40 data = badSource(data);41 {✓ 42 int source[10] = {0};43 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */✓ 44 memmove(data, source, 10*sizeof(int));❗VULN✓ 45 printIntLine(data[0]);✓ 46 free(data);47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* The static variables below are used to drive control flow in the source functions. */55static int goodG2B1Static = 0;56static int goodG2B2Static = 0;5758/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */59static int * goodG2B1Source(int * data)60{61 if(goodG2B1Static)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 /* FIX: Allocate memory using sizeof(int) */69 data = (int *)malloc(10*sizeof(int));70 if (data == NULL) {exit(-1);}71 }72 return data;73}7475static void goodG2B1()76{77 int * data;78 data = NULL;79 goodG2B1Static = 0; /* false */80 data = goodG2B1Source(data);81 {82 int source[10] = {0};83 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */84 memmove(data, source, 10*sizeof(int));85 printIntLine(data[0]);86 free(data);87 }88}8990/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */91static int * goodG2B2Source(int * data)92{93 if(goodG2B2Static)94 {95 /* FIX: Allocate memory using sizeof(int) */96 data = (int *)malloc(10*sizeof(int));97 if (data == NULL) {exit(-1);}98 }99 return data;100}101102static void goodG2B2()103{104 int * data;105 data = NULL;106 goodG2B2Static = 1; /* true */107 data = goodG2B2Source(data);108 {109 int source[10] = {0};110 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */111 memmove(data, source, 10*sizeof(int));112 printIntLine(data[0]);113 free(data);114 }115}116117void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_21_good()118{119 goodG2B1();120 goodG2B2();121}122123#endif /* OMITGOOD */124125/* Below is the main(). It is only used when building this testcase on126 * its own for testing or for building a binary to use in testing binary127 * analysis tools. It is not used when compiling all the testcases as one128 * application, which is how source code analysis tools are tested.129 */130131#ifdef INCLUDEMAIN132133int main(int argc, char * argv[])134{135 /* seed randomness */136 srand( (unsigned)time(NULL) );137#ifndef OMITGOOD138 printLine("Calling good()...");139 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_21_good();140 printLine("Finished good()");141#endif /* OMITGOOD */142#ifndef OMITBAD143 printLine("Calling bad()...");144 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_21_bad();145 printLine("Finished bad()");146#endif /* OMITBAD */147 return 0;148}149150#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_wchar_t_memmove_05.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-05.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are not defined as "const", but are never22 * assigned any other value, so a tool should be able to identify that23 * reads of these will always return their initialized values.24 */25static int staticTrue = 1; /* true */26static int staticFalse = 0; /* false */2728#ifndef OMITBAD2930void CWE127_Buffer_Underread__malloc_wchar_t_memmove_05_bad()31{✓ 32 wchar_t * data;✓ 33 data = NULL;✓ 34 if(staticTrue)35 {36 {✓ 37 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 38 if (dataBuffer == NULL) {exit(-1);}✓ 39 wmemset(dataBuffer, L'A', 100-1);✓ 40 dataBuffer[100-1] = L'\0';41 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 42 data = dataBuffer - 8;43 }44 }45 {✓ 46 wchar_t dest[100];✓ 47 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 48 dest[100-1] = L'\0'; /* null terminate */49 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 50 memmove(dest, data, 100*sizeof(wchar_t));❗VULN51 /* Ensure null termination */✓ 52 dest[100-1] = L'\0';✓ 53 printWLine(dest);54 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location55 * returned by malloc() so can't safely call free() on it */56 }57}5859#endif /* OMITBAD */6061#ifndef OMITGOOD6263/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */64static void goodG2B1()65{66 wchar_t * data;67 data = NULL;68 if(staticFalse)69 {70 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */71 printLine("Benign, fixed string");72 }73 else74 {75 {76 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));77 if (dataBuffer == NULL) {exit(-1);}78 wmemset(dataBuffer, L'A', 100-1);79 dataBuffer[100-1] = L'\0';80 /* FIX: Set data pointer to the allocated memory buffer */81 data = dataBuffer;82 }83 }84 {85 wchar_t dest[100];86 wmemset(dest, L'C', 100-1); /* fill with 'C's */87 dest[100-1] = L'\0'; /* null terminate */88 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */89 memmove(dest, data, 100*sizeof(wchar_t));90 /* Ensure null termination */91 dest[100-1] = L'\0';92 printWLine(dest);93 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location94 * returned by malloc() so can't safely call free() on it */95 }96}9798/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */99static void goodG2B2()100{101 wchar_t * data;102 data = NULL;103 if(staticTrue)104 {105 {106 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));107 if (dataBuffer == NULL) {exit(-1);}108 wmemset(dataBuffer, L'A', 100-1);109 dataBuffer[100-1] = L'\0';110 /* FIX: Set data pointer to the allocated memory buffer */111 data = dataBuffer;112 }113 }114 {115 wchar_t dest[100];116 wmemset(dest, L'C', 100-1); /* fill with 'C's */117 dest[100-1] = L'\0'; /* null terminate */118 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */119 memmove(dest, data, 100*sizeof(wchar_t));120 /* Ensure null termination */121 dest[100-1] = L'\0';122 printWLine(dest);123 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location124 * returned by malloc() so can't safely call free() on it */125 }126}127128void CWE127_Buffer_Underread__malloc_wchar_t_memmove_05_good()129{130 goodG2B1();131 goodG2B2();132}133134#endif /* OMITGOOD */135136/* Below is the main(). It is only used when building this testcase on137 * its own for testing or for building a binary to use in testing binary138 * analysis tools. It is not used when compiling all the testcases as one139 * application, which is how source code analysis tools are tested.140 */141142#ifdef INCLUDEMAIN143144int main(int argc, char * argv[])145{146 /* seed randomness */147 srand( (unsigned)time(NULL) );148#ifndef OMITGOOD149 printLine("Calling good()...");150 CWE127_Buffer_Underread__malloc_wchar_t_memmove_05_good();151 printLine("Finished good()");152#endif /* OMITGOOD */153#ifndef OMITBAD154 printLine("Calling bad()...");155 CWE127_Buffer_Underread__malloc_wchar_t_memmove_05_bad();156 printLine("Finished bad()");157#endif /* OMITBAD */158 return 0;159}160161#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_11.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_dest.label.xml4Template File: sources-sink-11.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using new[] and set data pointer to a small buffer10 * GoodSource: Allocate using new[] and set data pointer to a large buffer11 * Sink: cpy12 * BadSink : Copy string to data using wcscpy13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_1122{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 data = NULL;✓ 30 if(globalReturnsTrue())31 {32 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 33 data = new wchar_t[50];✓ 34 data[0] = L'\0'; /* null terminate */35 }36 {✓ 37 wchar_t source[100];✓ 38 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 39 source[100-1] = L'\0'; /* null terminate */40 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 41 wcscpy(data, source);❗VULN✓ 42 printWLine(data);✓ 43 delete [] data;44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */52static void goodG2B1()53{54 wchar_t * data;55 data = NULL;56 if(globalReturnsFalse())57 {58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */59 printLine("Benign, fixed string");60 }61 else62 {63 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */64 data = new wchar_t[100];65 data[0] = L'\0'; /* null terminate */66 }67 {68 wchar_t source[100];69 wmemset(source, L'C', 100-1); /* fill with L'C's */70 source[100-1] = L'\0'; /* null terminate */71 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */72 wcscpy(data, source);73 printWLine(data);74 delete [] data;75 }76}7778/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */79static void goodG2B2()80{81 wchar_t * data;82 data = NULL;83 if(globalReturnsTrue())84 {85 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */86 data = new wchar_t[100];87 data[0] = L'\0'; /* null terminate */88 }89 {90 wchar_t source[100];91 wmemset(source, L'C', 100-1); /* fill with L'C's */92 source[100-1] = L'\0'; /* null terminate */93 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */94 wcscpy(data, source);95 printWLine(data);96 delete [] data;97 }98}99100void good()101{102 goodG2B1();103 goodG2B2();104}105106#endif /* OMITGOOD */107108} /* close namespace */109110/* Below is the main(). It is only used when building this testcase on111 its own for testing or for building a binary to use in testing binary112 analysis tools. It is not used when compiling all the testcases as one113 application, which is how source code analysis tools are tested. */114115#ifdef INCLUDEMAIN116117using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_11; /* so that we can use good and bad easily */118119int main(int argc, char * argv[])120{121 /* seed randomness */122 srand( (unsigned)time(NULL) );123#ifndef OMITGOOD124 printLine("Calling good()...");125 good();126 printLine("Finished good()");127#endif /* OMITGOOD */128#ifndef OMITBAD129 printLine("Calling bad()...");130 bad();131 printLine("Finished bad()");132#endif /* OMITBAD */133 return 0;134}135136#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_13.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-13.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: memcpy12 * BadSink : Copy twoIntsStruct array to data using memcpy13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_13_bad()22{✓ 23 twoIntsStruct * data;✓ 24 twoIntsStruct dataBadBuffer[50];✓ 25 twoIntsStruct dataGoodBuffer[100];✓ 26 if(GLOBAL_CONST_FIVE==5)27 {28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination29 * buffer in various memory copying functions using a "large" source buffer. */✓ 30 data = dataBadBuffer;31 }32 {✓ 33 twoIntsStruct source[100];34 {✓ 35 size_t i;36 /* Initialize array */✓ 37 for (i = 0; i < 100; i++)38 {✓ 39 source[i].intOne = 0;✓ 40 source[i].intTwo = 0;41 }42 }43 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 44 memcpy(data, source, 100*sizeof(twoIntsStruct));❗VULN✓ 45 printStructLine(&data[0]);46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */54static void goodG2B1()55{56 twoIntsStruct * data;57 twoIntsStruct dataBadBuffer[50];58 twoIntsStruct dataGoodBuffer[100];59 if(GLOBAL_CONST_FIVE!=5)60 {61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */62 printLine("Benign, fixed string");63 }64 else65 {66 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */67 data = dataGoodBuffer;68 }69 {70 twoIntsStruct source[100];71 {72 size_t i;73 /* Initialize array */74 for (i = 0; i < 100; i++)75 {76 source[i].intOne = 0;77 source[i].intTwo = 0;78 }79 }80 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */81 memcpy(data, source, 100*sizeof(twoIntsStruct));82 printStructLine(&data[0]);83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 twoIntsStruct * data;90 twoIntsStruct dataBadBuffer[50];91 twoIntsStruct dataGoodBuffer[100];92 if(GLOBAL_CONST_FIVE==5)93 {94 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */95 data = dataGoodBuffer;96 }97 {98 twoIntsStruct source[100];99 {100 size_t i;101 /* Initialize array */102 for (i = 0; i < 100; i++)103 {104 source[i].intOne = 0;105 source[i].intTwo = 0;106 }107 }108 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */109 memcpy(data, source, 100*sizeof(twoIntsStruct));110 printStructLine(&data[0]);111 }112}113114void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_13_good()115{116 goodG2B1();117 goodG2B2();118}119120#endif /* OMITGOOD */121122/* Below is the main(). It is only used when building this testcase on123 * its own for testing or for building a binary to use in testing binary124 * analysis tools. It is not used when compiling all the testcases as one125 * application, which is how source code analysis tools are tested.126 */127128#ifdef INCLUDEMAIN129130int main(int argc, char * argv[])131{132 /* seed randomness */133 srand( (unsigned)time(NULL) );134#ifndef OMITGOOD135 printLine("Calling good()...");136 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_13_good();137 printLine("Finished good()");138#endif /* OMITGOOD */139#ifndef OMITBAD140 printLine("Calling bad()...");141 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_13_bad();142 printLine("Finished bad()");143#endif /* OMITBAD */144 return 0;145}146147#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_char_memmove_18.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-18.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__malloc_char_memmove_18_bad()24{✓ 25 char * data;✓ 26 data = NULL;✓ 27 goto source;✓ 28source:29 {✓ 30 char * dataBuffer = (char *)malloc(100*sizeof(char));✓ 31 if (dataBuffer == NULL) {exit(-1);}✓ 32 memset(dataBuffer, 'A', 100-1);✓ 33 dataBuffer[100-1] = '\0';34 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 35 data = dataBuffer - 8;36 }37 {✓ 38 char dest[100];✓ 39 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 40 dest[100-1] = '\0'; /* null terminate */41 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 42 memmove(dest, data, 100*sizeof(char));❗VULN43 /* Ensure null termination */✓ 44 dest[100-1] = '\0';✓ 45 printLine(dest);46 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location47 * returned by malloc() so can't safely call free() on it */48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */56static void goodG2B()57{58 char * data;59 data = NULL;60 goto source;61source:62 {63 char * dataBuffer = (char *)malloc(100*sizeof(char));64 if (dataBuffer == NULL) {exit(-1);}65 memset(dataBuffer, 'A', 100-1);66 dataBuffer[100-1] = '\0';67 /* FIX: Set data pointer to the allocated memory buffer */68 data = dataBuffer;69 }70 {71 char dest[100];72 memset(dest, 'C', 100-1); /* fill with 'C's */73 dest[100-1] = '\0'; /* null terminate */74 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */75 memmove(dest, data, 100*sizeof(char));76 /* Ensure null termination */77 dest[100-1] = '\0';78 printLine(dest);79 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location80 * returned by malloc() so can't safely call free() on it */81 }82}8384void CWE127_Buffer_Underread__malloc_char_memmove_18_good()85{86 goodG2B();87}8889#endif /* OMITGOOD */9091/* Below is the main(). It is only used when building this testcase on92 * its own for testing or for building a binary to use in testing binary93 * analysis tools. It is not used when compiling all the testcases as one94 * application, which is how source code analysis tools are tested.95 */9697#ifdef INCLUDEMAIN9899int main(int argc, char * argv[])100{101 /* seed randomness */102 srand( (unsigned)time(NULL) );103#ifndef OMITGOOD104 printLine("Calling good()...");105 CWE127_Buffer_Underread__malloc_char_memmove_18_good();106 printLine("Finished good()");107#endif /* OMITGOOD */108#ifndef OMITBAD109 printLine("Calling bad()...");110 CWE127_Buffer_Underread__malloc_char_memmove_18_bad();111 printLine("Finished bad()");112#endif /* OMITBAD */113 return 0;114}115116#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__malloc_char_loop_61a.c3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml4Template File: sources-sink-61a.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sinks: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 61 Data flow: data returned from one function to another in different source files14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223/* bad function declaration */24char * CWE124_Buffer_Underwrite__malloc_char_loop_61b_badSource(char * data);2526void CWE124_Buffer_Underwrite__malloc_char_loop_61_bad()27{✓ 28 char * data;✓ 29 data = NULL;✓ 30 data = CWE124_Buffer_Underwrite__malloc_char_loop_61b_badSource(data);31 {✓ 32 size_t i;✓ 33 char source[100];✓ 34 memset(source, 'C', 100-1); /* fill with 'C's */✓ 35 source[100-1] = '\0'; /* null terminate */36 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 37 for (i = 0; i < 100; i++)38 {✓ 39 data[i] = source[i];❗VULN40 }41 /* Ensure the destination buffer is null terminated */✓ 42 data[100-1] = '\0';✓ 43 printLine(data);44 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location45 * returned by malloc() so can't safely call free() on it */46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodG2B uses the GoodSource with the BadSink */54char * CWE124_Buffer_Underwrite__malloc_char_loop_61b_goodG2BSource(char * data);5556static void goodG2B()57{58 char * data;59 data = NULL;60 data = CWE124_Buffer_Underwrite__malloc_char_loop_61b_goodG2BSource(data);61 {62 size_t i;63 char source[100];64 memset(source, 'C', 100-1); /* fill with 'C's */65 source[100-1] = '\0'; /* null terminate */66 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */67 for (i = 0; i < 100; i++)68 {69 data[i] = source[i];70 }71 /* Ensure the destination buffer is null terminated */72 data[100-1] = '\0';73 printLine(data);74 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location75 * returned by malloc() so can't safely call free() on it */76 }77}7879void CWE124_Buffer_Underwrite__malloc_char_loop_61_good()80{81 goodG2B();82}8384#endif /* OMITGOOD */8586/* Below is the main(). It is only used when building this testcase on87 * its own for testing or for building a binary to use in testing binary88 * analysis tools. It is not used when compiling all the testcases as one89 * application, which is how source code analysis tools are tested.90 */9192#ifdef INCLUDEMAIN9394int main(int argc, char * argv[])95{96 /* seed randomness */97 srand( (unsigned)time(NULL) );98#ifndef OMITGOOD99 printLine("Calling good()...");100 CWE124_Buffer_Underwrite__malloc_char_loop_61_good();101 printLine("Finished good()");102#endif /* OMITGOOD */103#ifndef OMITBAD104 printLine("Calling bad()...");105 CWE124_Buffer_Underwrite__malloc_char_loop_61_bad();106 printLine("Finished bad()");107#endif /* OMITBAD */108 return 0;109}110111#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cat_05.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__src.label.xml4Template File: sources-sink-05.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: cat12 * BadSink : Copy data to string using wcscat13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are not defined as "const", but are never22 * assigned any other value, so a tool should be able to identify that23 * reads of these will always return their initialized values.24 */25static int staticTrue = 1; /* true */26static int staticFalse = 0; /* false */2728#ifndef OMITBAD2930void CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cat_05_bad()31{✓ 32 wchar_t * data;✓ 33 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 34 data = dataBuffer;✓ 35 if(staticTrue)36 {37 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 38 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 39 data[100-1] = L'\0'; /* null terminate */40 }41 {✓ 42 wchar_t dest[50] = L"";43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/✓ 44 wcscat(dest, data);❗VULN✓ 45 printWLine(data);46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */54static void goodG2B1()55{56 wchar_t * data;57 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));58 data = dataBuffer;59 if(staticFalse)60 {61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */62 printLine("Benign, fixed string");63 }64 else65 {66 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */67 wmemset(data, L'A', 50-1); /* fill with L'A's */68 data[50-1] = L'\0'; /* null terminate */69 }70 {71 wchar_t dest[50] = L"";72 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/73 wcscat(dest, data);74 printWLine(data);75 }76}7778/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */79static void goodG2B2()80{81 wchar_t * data;82 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));83 data = dataBuffer;84 if(staticTrue)85 {86 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */87 wmemset(data, L'A', 50-1); /* fill with L'A's */88 data[50-1] = L'\0'; /* null terminate */89 }90 {91 wchar_t dest[50] = L"";92 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/93 wcscat(dest, data);94 printWLine(data);95 }96}9798void CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cat_05_good()99{100 goodG2B1();101 goodG2B2();102}103104#endif /* OMITGOOD */105106/* Below is the main(). It is only used when building this testcase on107 * its own for testing or for building a binary to use in testing binary108 * analysis tools. It is not used when compiling all the testcases as one109 * application, which is how source code analysis tools are tested.110 */111112#ifdef INCLUDEMAIN113114int main(int argc, char * argv[])115{116 /* seed randomness */117 srand( (unsigned)time(NULL) );118#ifndef OMITGOOD119 printLine("Calling good()...");120 CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cat_05_good();121 printLine("Finished good()");122#endif /* OMITGOOD */123#ifndef OMITBAD124 printLine("Calling bad()...");125 CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cat_05_bad();126 printLine("Finished bad()");127#endif /* OMITBAD */128 return 0;129}130131#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 20 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__char_declare_loop_10.c3Label Definition File: CWE126_Buffer_Overread.stack.label.xml4Template File: sources-sink-10.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Set data pointer to a small buffer10 * GoodSource: Set data pointer to a large buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE126_Buffer_Overread__char_declare_loop_10_bad()24{✓ 25 char * data;✓ 26 char dataBadBuffer[50];✓ 27 char dataGoodBuffer[100];✓ 28 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */✓ 29 dataBadBuffer[50-1] = '\0'; /* null terminate */✓ 30 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */✓ 31 dataGoodBuffer[100-1] = '\0'; /* null terminate */✓ 32 if(globalTrue)33 {34 /* FLAW: Set data pointer to a small buffer */✓ 35 data = dataBadBuffer;36 }37 {✓ 38 size_t i, destLen;✓ 39 char dest[100];✓ 40 memset(dest, 'C', 100-1);✓ 41 dest[100-1] = '\0'; /* null terminate */✓ 42 destLen = strlen(dest);43 /* POTENTIAL FLAW: using length of the dest where data44 * could be smaller than dest causing buffer overread */✓ 45 for (i = 0; i < destLen; i++)46 {✓ 47 dest[i] = data[i];❗VULN48 }✓ 49 dest[100-1] = '\0';✓ 50 printLine(dest);51 }52}5354#endif /* OMITBAD */5556#ifndef OMITGOOD5758/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */59static void goodG2B1()60{61 char * data;62 char dataBadBuffer[50];63 char dataGoodBuffer[100];64 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */65 dataBadBuffer[50-1] = '\0'; /* null terminate */66 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */67 dataGoodBuffer[100-1] = '\0'; /* null terminate */68 if(globalFalse)69 {70 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */71 printLine("Benign, fixed string");72 }73 else74 {75 /* FIX: Set data pointer to a large buffer */76 data = dataGoodBuffer;77 }78 {79 size_t i, destLen;80 char dest[100];81 memset(dest, 'C', 100-1);82 dest[100-1] = '\0'; /* null terminate */83 destLen = strlen(dest);84 /* POTENTIAL FLAW: using length of the dest where data85 * could be smaller than dest causing buffer overread */86 for (i = 0; i < destLen; i++)87 {88 dest[i] = data[i];89 }90 dest[100-1] = '\0';91 printLine(dest);92 }93}9495/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */96static void goodG2B2()97{98 char * data;99 char dataBadBuffer[50];100 char dataGoodBuffer[100];101 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */102 dataBadBuffer[50-1] = '\0'; /* null terminate */103 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */104 dataGoodBuffer[100-1] = '\0'; /* null terminate */105 if(globalTrue)106 {107 /* FIX: Set data pointer to a large buffer */108 data = dataGoodBuffer;109 }110 {111 size_t i, destLen;112 char dest[100];113 memset(dest, 'C', 100-1);114 dest[100-1] = '\0'; /* null terminate */115 destLen = strlen(dest);116 /* POTENTIAL FLAW: using length of the dest where data117 * could be smaller than dest causing buffer overread */118 for (i = 0; i < destLen; i++)119 {120 dest[i] = data[i];121 }122 dest[100-1] = '\0';123 printLine(dest);124 }125}126127void CWE126_Buffer_Overread__char_declare_loop_10_good()128{129 goodG2B1();130 goodG2B2();131}132133#endif /* OMITGOOD */134135/* Below is the main(). It is only used when building this testcase on136 * its own for testing or for building a binary to use in testing binary137 * analysis tools. It is not used when compiling all the testcases as one138 * application, which is how source code analysis tools are tested.139 */140141#ifdef INCLUDEMAIN142143int main(int argc, char * argv[])144{145 /* seed randomness */146 srand( (unsigned)time(NULL) );147#ifndef OMITGOOD148 printLine("Calling good()...");149 CWE126_Buffer_Overread__char_declare_loop_10_good();150 printLine("Finished good()");151#endif /* OMITGOOD */152#ifndef OMITBAD153 printLine("Calling bad()...");154 CWE126_Buffer_Overread__char_declare_loop_10_bad();155 printLine("Finished bad()");156#endif /* OMITBAD */157 return 0;158}159160#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 21 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__char_declare_loop_16.c3Label Definition File: CWE126_Buffer_Overread.stack.label.xml4Template File: sources-sink-16.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Set data pointer to a small buffer10 * GoodSource: Set data pointer to a large buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 16 Control flow: while(1)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE126_Buffer_Overread__char_declare_loop_16_bad()24{✓ 25 char * data;✓ 26 char dataBadBuffer[50];✓ 27 char dataGoodBuffer[100];✓ 28 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */✓ 29 dataBadBuffer[50-1] = '\0'; /* null terminate */✓ 30 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */✓ 31 dataGoodBuffer[100-1] = '\0'; /* null terminate */✓ 32 while(1)33 {34 /* FLAW: Set data pointer to a small buffer */✓ 35 data = dataBadBuffer;✓ 36 break;37 }38 {✓ 39 size_t i, destLen;✓ 40 char dest[100];✓ 41 memset(dest, 'C', 100-1);✓ 42 dest[100-1] = '\0'; /* null terminate */✓ 43 destLen = strlen(dest);44 /* POTENTIAL FLAW: using length of the dest where data45 * could be smaller than dest causing buffer overread */✓ 46 for (i = 0; i < destLen; i++)47 {✓ 48 dest[i] = data[i];❗VULN49 }✓ 50 dest[100-1] = '\0';✓ 51 printLine(dest);52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */60static void goodG2B()61{62 char * data;63 char dataBadBuffer[50];64 char dataGoodBuffer[100];65 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */66 dataBadBuffer[50-1] = '\0'; /* null terminate */67 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */68 dataGoodBuffer[100-1] = '\0'; /* null terminate */69 while(1)70 {71 /* FIX: Set data pointer to a large buffer */72 data = dataGoodBuffer;73 break;74 }75 {76 size_t i, destLen;77 char dest[100];78 memset(dest, 'C', 100-1);79 dest[100-1] = '\0'; /* null terminate */80 destLen = strlen(dest);81 /* POTENTIAL FLAW: using length of the dest where data82 * could be smaller than dest causing buffer overread */83 for (i = 0; i < destLen; i++)84 {85 dest[i] = data[i];86 }87 dest[100-1] = '\0';88 printLine(dest);89 }90}9192void CWE126_Buffer_Overread__char_declare_loop_16_good()93{94 goodG2B();95}9697#endif /* OMITGOOD */9899/* Below is the main(). It is only used when building this testcase on100 * its own for testing or for building a binary to use in testing binary101 * analysis tools. It is not used when compiling all the testcases as one102 * application, which is how source code analysis tools are tested.103 */104105#ifdef INCLUDEMAIN106107int main(int argc, char * argv[])108{109 /* seed randomness */110 srand( (unsigned)time(NULL) );111#ifndef OMITGOOD112 printLine("Calling good()...");113 CWE126_Buffer_Overread__char_declare_loop_16_good();114 printLine("Finished good()");115#endif /* OMITGOOD */116#ifndef OMITBAD117 printLine("Calling bad()...");118 CWE126_Buffer_Overread__char_declare_loop_16_bad();119 printLine("Finished bad()");120#endif /* OMITBAD */121 return 0;122}123124#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22a.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml4Template File: sources-sink-22a.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: swprintf12 * BadSink : Copy data to string using swprintf13 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snwprintf23#else24#define SNPRINTF swprintf25#endif2627#ifndef OMITBAD2829/* The global variable below is used to drive control flow in the source function */30int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_badGlobal = 0;3132wchar_t * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_badSource(wchar_t * data);3334void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_bad()35{✓ 36 wchar_t * data;✓ 37 data = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 38 if (data == NULL) {exit(-1);}✓ 39 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_badGlobal = 1; /* true */✓ 40 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_badSource(data);41 {✓ 42 wchar_t dest[50] = L"";43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 44 SNPRINTF(dest, wcslen(data), L"%s", data);❗VULN✓ 45 printWLine(data);✓ 46 free(data);47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* The global variables below are used to drive control flow in the source functions. */55int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B1Global = 0;56int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B2Global = 0;5758/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */59wchar_t * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B1Source(wchar_t * data);6061static void goodG2B1()62{63 wchar_t * data;64 data = (wchar_t *)malloc(100*sizeof(wchar_t));65 if (data == NULL) {exit(-1);}66 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B1Global = 0; /* false */67 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B1Source(data);68 {69 wchar_t dest[50] = L"";70 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */71 SNPRINTF(dest, wcslen(data), L"%s", data);72 printWLine(data);73 free(data);74 }75}7677/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */78wchar_t * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B2Source(wchar_t * data);7980static void goodG2B2()81{82 wchar_t * data;83 data = (wchar_t *)malloc(100*sizeof(wchar_t));84 if (data == NULL) {exit(-1);}85 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B2Global = 1; /* true */86 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B2Source(data);87 {88 wchar_t dest[50] = L"";89 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */90 SNPRINTF(dest, wcslen(data), L"%s", data);91 printWLine(data);92 free(data);93 }94}9596void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_good()97{98 goodG2B1();99 goodG2B2();100}101102#endif /* OMITGOOD */103104/* Below is the main(). It is only used when building this testcase on105 * its own for testing or for building a binary to use in testing binary106 * analysis tools. It is not used when compiling all the testcases as one107 * application, which is how source code analysis tools are tested.108 */109110#ifdef INCLUDEMAIN111112int main(int argc, char * argv[])113{114 /* seed randomness */115 srand( (unsigned)time(NULL) );116#ifndef OMITGOOD117 printLine("Calling good()...");118 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_good();119 printLine("Finished good()");120#endif /* OMITGOOD */121#ifndef OMITBAD122 printLine("Calling bad()...");123 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_bad();124 printLine("Finished bad()");125#endif /* OMITBAD */126 return 0;127}128129#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__char_alloca_memcpy_04.c3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml4Template File: sources-sink-04.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are declared "const", so a tool should22 * be able to identify that reads of these will always return their23 * initialized values.24 */25static const int STATIC_CONST_TRUE = 1; /* true */26static const int STATIC_CONST_FALSE = 0; /* false */2728#ifndef OMITBAD2930void CWE124_Buffer_Underwrite__char_alloca_memcpy_04_bad()31{✓ 32 char * data;✓ 33 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));✓ 34 memset(dataBuffer, 'A', 100-1);✓ 35 dataBuffer[100-1] = '\0';✓ 36 if(STATIC_CONST_TRUE)37 {38 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 39 data = dataBuffer - 8;40 }41 {✓ 42 char source[100];✓ 43 memset(source, 'C', 100-1); /* fill with 'C's */✓ 44 source[100-1] = '\0'; /* null terminate */45 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 46 memcpy(data, source, 100*sizeof(char));❗VULN47 /* Ensure the destination buffer is null terminated */✓ 48 data[100-1] = '\0';✓ 49 printLine(data);50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */58static void goodG2B1()59{60 char * data;61 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));62 memset(dataBuffer, 'A', 100-1);63 dataBuffer[100-1] = '\0';64 if(STATIC_CONST_FALSE)65 {66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */67 printLine("Benign, fixed string");68 }69 else70 {71 /* FIX: Set data pointer to the allocated memory buffer */72 data = dataBuffer;73 }74 {75 char source[100];76 memset(source, 'C', 100-1); /* fill with 'C's */77 source[100-1] = '\0'; /* null terminate */78 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */79 memcpy(data, source, 100*sizeof(char));80 /* Ensure the destination buffer is null terminated */81 data[100-1] = '\0';82 printLine(data);83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 char * data;90 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));91 memset(dataBuffer, 'A', 100-1);92 dataBuffer[100-1] = '\0';93 if(STATIC_CONST_TRUE)94 {95 /* FIX: Set data pointer to the allocated memory buffer */96 data = dataBuffer;97 }98 {99 char source[100];100 memset(source, 'C', 100-1); /* fill with 'C's */101 source[100-1] = '\0'; /* null terminate */102 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */103 memcpy(data, source, 100*sizeof(char));104 /* Ensure the destination buffer is null terminated */105 data[100-1] = '\0';106 printLine(data);107 }108}109110void CWE124_Buffer_Underwrite__char_alloca_memcpy_04_good()111{112 goodG2B1();113 goodG2B2();114}115116#endif /* OMITGOOD */117118/* Below is the main(). It is only used when building this testcase on119 * its own for testing or for building a binary to use in testing binary120 * analysis tools. It is not used when compiling all the testcases as one121 * application, which is how source code analysis tools are tested.122 */123124#ifdef INCLUDEMAIN125126int main(int argc, char * argv[])127{128 /* seed randomness */129 srand( (unsigned)time(NULL) );130#ifndef OMITGOOD131 printLine("Calling good()...");132 CWE124_Buffer_Underwrite__char_alloca_memcpy_04_good();133 printLine("Finished good()");134#endif /* OMITGOOD */135#ifndef OMITBAD136 printLine("Calling bad()...");137 CWE124_Buffer_Underwrite__char_alloca_memcpy_04_bad();138 printLine("Finished bad()");139#endif /* OMITBAD */140 return 0;141}142143#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_loop_02.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-02.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: loop12 * BadSink : Copy int array to data using a loop13 * Flow Variant: 02 Control flow: if(1) and if(0)14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_loop_02_bad()22{✓ 23 int * data;✓ 24 int dataBadBuffer[50];✓ 25 int dataGoodBuffer[100];✓ 26 if(1)27 {28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination29 * buffer in various memory copying functions using a "large" source buffer. */✓ 30 data = dataBadBuffer;31 }32 {✓ 33 int source[100] = {0}; /* fill with 0's */34 {✓ 35 size_t i;36 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 37 for (i = 0; i < 100; i++)38 {✓ 39 data[i] = source[i];❗VULN40 }✓ 41 printIntLine(data[0]);42 }43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */51static void goodG2B1()52{53 int * data;54 int dataBadBuffer[50];55 int dataGoodBuffer[100];56 if(0)57 {58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */59 printLine("Benign, fixed string");60 }61 else62 {63 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */64 data = dataGoodBuffer;65 }66 {67 int source[100] = {0}; /* fill with 0's */68 {69 size_t i;70 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */71 for (i = 0; i < 100; i++)72 {73 data[i] = source[i];74 }75 printIntLine(data[0]);76 }77 }78}7980/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */81static void goodG2B2()82{83 int * data;84 int dataBadBuffer[50];85 int dataGoodBuffer[100];86 if(1)87 {88 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */89 data = dataGoodBuffer;90 }91 {92 int source[100] = {0}; /* fill with 0's */93 {94 size_t i;95 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */96 for (i = 0; i < 100; i++)97 {98 data[i] = source[i];99 }100 printIntLine(data[0]);101 }102 }103}104105void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_loop_02_good()106{107 goodG2B1();108 goodG2B2();109}110111#endif /* OMITGOOD */112113/* Below is the main(). It is only used when building this testcase on114 * its own for testing or for building a binary to use in testing binary115 * analysis tools. It is not used when compiling all the testcases as one116 * application, which is how source code analysis tools are tested.117 */118119#ifdef INCLUDEMAIN120121int main(int argc, char * argv[])122{123 /* seed randomness */124 srand( (unsigned)time(NULL) );125#ifndef OMITGOOD126 printLine("Calling good()...");127 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_loop_02_good();128 printLine("Finished good()");129#endif /* OMITGOOD */130#ifndef OMITBAD131 printLine("Calling bad()...");132 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_loop_02_bad();133 printLine("Finished bad()");134#endif /* OMITBAD */135 return 0;136}137138#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__wchar_t_declare_memcpy_13.c3Label Definition File: CWE126_Buffer_Overread.stack.label.xml4Template File: sources-sink-13.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Set data pointer to a small buffer10 * GoodSource: Set data pointer to a large buffer11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE126_Buffer_Overread__wchar_t_declare_memcpy_13_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t dataBadBuffer[50];✓ 27 wchar_t dataGoodBuffer[100];✓ 28 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */✓ 29 dataBadBuffer[50-1] = L'\0'; /* null terminate */✓ 30 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */✓ 31 dataGoodBuffer[100-1] = L'\0'; /* null terminate */✓ 32 if(GLOBAL_CONST_FIVE==5)33 {34 /* FLAW: Set data pointer to a small buffer */✓ 35 data = dataBadBuffer;36 }37 {✓ 38 wchar_t dest[100];✓ 39 wmemset(dest, L'C', 100-1);✓ 40 dest[100-1] = L'\0'; /* null terminate */41 /* POTENTIAL FLAW: using memcpy with the length of the dest where data42 * could be smaller than dest causing buffer overread */✓ 43 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN✓ 44 dest[100-1] = L'\0';✓ 45 printWLine(dest);46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */54static void goodG2B1()55{56 wchar_t * data;57 wchar_t dataBadBuffer[50];58 wchar_t dataGoodBuffer[100];59 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */60 dataBadBuffer[50-1] = L'\0'; /* null terminate */61 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */62 dataGoodBuffer[100-1] = L'\0'; /* null terminate */63 if(GLOBAL_CONST_FIVE!=5)64 {65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */66 printLine("Benign, fixed string");67 }68 else69 {70 /* FIX: Set data pointer to a large buffer */71 data = dataGoodBuffer;72 }73 {74 wchar_t dest[100];75 wmemset(dest, L'C', 100-1);76 dest[100-1] = L'\0'; /* null terminate */77 /* POTENTIAL FLAW: using memcpy with the length of the dest where data78 * could be smaller than dest causing buffer overread */79 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));80 dest[100-1] = L'\0';81 printWLine(dest);82 }83}8485/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */86static void goodG2B2()87{88 wchar_t * data;89 wchar_t dataBadBuffer[50];90 wchar_t dataGoodBuffer[100];91 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */92 dataBadBuffer[50-1] = L'\0'; /* null terminate */93 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */94 dataGoodBuffer[100-1] = L'\0'; /* null terminate */95 if(GLOBAL_CONST_FIVE==5)96 {97 /* FIX: Set data pointer to a large buffer */98 data = dataGoodBuffer;99 }100 {101 wchar_t dest[100];102 wmemset(dest, L'C', 100-1);103 dest[100-1] = L'\0'; /* null terminate */104 /* POTENTIAL FLAW: using memcpy with the length of the dest where data105 * could be smaller than dest causing buffer overread */106 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));107 dest[100-1] = L'\0';108 printWLine(dest);109 }110}111112void CWE126_Buffer_Overread__wchar_t_declare_memcpy_13_good()113{114 goodG2B1();115 goodG2B2();116}117118#endif /* OMITGOOD */119120/* Below is the main(). It is only used when building this testcase on121 * its own for testing or for building a binary to use in testing binary122 * analysis tools. It is not used when compiling all the testcases as one123 * application, which is how source code analysis tools are tested.124 */125126#ifdef INCLUDEMAIN127128int main(int argc, char * argv[])129{130 /* seed randomness */131 srand( (unsigned)time(NULL) );132#ifndef OMITGOOD133 printLine("Calling good()...");134 CWE126_Buffer_Overread__wchar_t_declare_memcpy_13_good();135 printLine("Finished good()");136#endif /* OMITGOOD */137#ifndef OMITBAD138 printLine("Calling bad()...");139 CWE126_Buffer_Overread__wchar_t_declare_memcpy_13_bad();140 printLine("Finished bad()");141#endif /* OMITBAD */142 return 0;143}144145#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__char_alloca_memcpy_07.c3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is not declared "const", but is never assigned22 * any other value so a tool should be able to identify that reads of23 * this will always give its initialized value.24 */25static int staticFive = 5;2627#ifndef OMITBAD2829void CWE124_Buffer_Underwrite__char_alloca_memcpy_07_bad()30{✓ 31 char * data;✓ 32 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));✓ 33 memset(dataBuffer, 'A', 100-1);✓ 34 dataBuffer[100-1] = '\0';✓ 35 if(staticFive==5)36 {37 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 38 data = dataBuffer - 8;39 }40 {✓ 41 char source[100];✓ 42 memset(source, 'C', 100-1); /* fill with 'C's */✓ 43 source[100-1] = '\0'; /* null terminate */44 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 45 memcpy(data, source, 100*sizeof(char));❗VULN46 /* Ensure the destination buffer is null terminated */✓ 47 data[100-1] = '\0';✓ 48 printLine(data);49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */57static void goodG2B1()58{59 char * data;60 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));61 memset(dataBuffer, 'A', 100-1);62 dataBuffer[100-1] = '\0';63 if(staticFive!=5)64 {65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */66 printLine("Benign, fixed string");67 }68 else69 {70 /* FIX: Set data pointer to the allocated memory buffer */71 data = dataBuffer;72 }73 {74 char source[100];75 memset(source, 'C', 100-1); /* fill with 'C's */76 source[100-1] = '\0'; /* null terminate */77 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */78 memcpy(data, source, 100*sizeof(char));79 /* Ensure the destination buffer is null terminated */80 data[100-1] = '\0';81 printLine(data);82 }83}8485/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */86static void goodG2B2()87{88 char * data;89 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));90 memset(dataBuffer, 'A', 100-1);91 dataBuffer[100-1] = '\0';92 if(staticFive==5)93 {94 /* FIX: Set data pointer to the allocated memory buffer */95 data = dataBuffer;96 }97 {98 char source[100];99 memset(source, 'C', 100-1); /* fill with 'C's */100 source[100-1] = '\0'; /* null terminate */101 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */102 memcpy(data, source, 100*sizeof(char));103 /* Ensure the destination buffer is null terminated */104 data[100-1] = '\0';105 printLine(data);106 }107}108109void CWE124_Buffer_Underwrite__char_alloca_memcpy_07_good()110{111 goodG2B1();112 goodG2B2();113}114115#endif /* OMITGOOD */116117/* Below is the main(). It is only used when building this testcase on118 * its own for testing or for building a binary to use in testing binary119 * analysis tools. It is not used when compiling all the testcases as one120 * application, which is how source code analysis tools are tested.121 */122123#ifdef INCLUDEMAIN124125int main(int argc, char * argv[])126{127 /* seed randomness */128 srand( (unsigned)time(NULL) );129#ifndef OMITGOOD130 printLine("Calling good()...");131 CWE124_Buffer_Underwrite__char_alloca_memcpy_07_good();132 printLine("Finished good()");133#endif /* OMITGOOD */134#ifndef OMITBAD135 printLine("Calling bad()...");136 CWE124_Buffer_Underwrite__char_alloca_memcpy_07_bad();137 printLine("Finished bad()");138#endif /* OMITBAD */139 return 0;140}141142#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 10 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_snprintf_31.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-31.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sinks: swprintf12 * BadSink : Copy data to string using swprintf13 * Flow Variant: 31 Data flow using a copy of data within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snwprintf23#else24#define SNPRINTF swprintf25#endif2627#ifndef OMITBAD2829void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_snprintf_31_bad()30{✓ 31 wchar_t * data;✓ 32 wchar_t dataBuffer[100];✓ 33 data = dataBuffer;34 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 35 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 36 data[100-1] = L'\0'; /* null terminate */37 {✓ 38 wchar_t * dataCopy = data;✓ 39 wchar_t * data = dataCopy;40 {✓ 41 wchar_t dest[50] = L"";42 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 43 SNPRINTF(dest, wcslen(data), L"%s", data);❗VULN✓ 44 printWLine(data);45 }46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodG2B() uses the GoodSource with the BadSink */54static void goodG2B()55{56 wchar_t * data;57 wchar_t dataBuffer[100];58 data = dataBuffer;59 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */60 wmemset(data, L'A', 50-1); /* fill with L'A's */61 data[50-1] = L'\0'; /* null terminate */62 {63 wchar_t * dataCopy = data;64 wchar_t * data = dataCopy;65 {66 wchar_t dest[50] = L"";67 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */68 SNPRINTF(dest, wcslen(data), L"%s", data);69 printWLine(data);70 }71 }72}7374void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_snprintf_31_good()75{76 goodG2B();77}7879#endif /* OMITGOOD */8081/* Below is the main(). It is only used when building this testcase on82 * its own for testing or for building a binary to use in testing binary83 * analysis tools. It is not used when compiling all the testcases as one84 * application, which is how source code analysis tools are tested.85 */86#ifdef INCLUDEMAIN8788int main(int argc, char * argv[])89{90 /* seed randomness */91 srand( (unsigned)time(NULL) );92#ifndef OMITGOOD93 printLine("Calling good()...");94 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_snprintf_31_good();95 printLine("Finished good()");96#endif /* OMITGOOD */97#ifndef OMITBAD98 printLine("Calling bad()...");99 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_snprintf_31_bad();100 printLine("Finished bad()");101#endif /* OMITBAD */102 return 0;103}104105#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 2 predicted, 2 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE135_17.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE135.label.xml4Template File: sources-sinks-17.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Void pointer to a wchar_t array10 * GoodSource: Void pointer to a char array11 * Sinks:12 * GoodSink: Allocate memory using wcslen() and copy data13 * BadSink : Allocate memory using strlen() and copy data14 * Flow Variant: 17 Control flow: for loops15 *16 * */1718#include "std_testcase.h"1920#include <wchar.h>2122#define WIDE_STRING L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"23#define CHAR_STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"2425#ifndef OMITBAD2627void CWE121_Stack_Based_Buffer_Overflow__CWE135_17_bad()28{✓ 29 int i,j;✓ 30 void * data;✓ 31 data = NULL;✓ 32 for(i = 0; i < 1; i++)33 {34 /* POTENTIAL FLAW: Set data to point to a wide string */✓ 35 data = (void *)WIDE_STRING;36 }✓ 37 for(j = 0; j < 1; j++)38 {39 {40 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */✓ 41 size_t dataLen = strlen((char *)data);❗VULN✓ 42 void * dest = (void *)ALLOCA((dataLen+1) * sizeof(wchar_t));✓ 43 (void)wcscpy(dest, data);❗VULN✓ 44 printLine((char *)dest);45 }46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodB2G() - use badsource and goodsink in the for statements */54static void goodB2G()55{56 int i,k;57 void * data;58 data = NULL;59 for(i = 0; i < 1; i++)60 {61 /* POTENTIAL FLAW: Set data to point to a wide string */62 data = (void *)WIDE_STRING;63 }64 for(k = 0; k < 1; k++)65 {66 {67 /* FIX: treating pointer like a wchar_t* */68 size_t dataLen = wcslen((wchar_t *)data);69 void * dest = (void *)ALLOCA((dataLen+1) * sizeof(wchar_t));70 (void)wcscpy(dest, data);71 printWLine((wchar_t *)dest);72 }73 }74}7576/* goodG2B() - use goodsource and badsink in the for statements */77static void goodG2B()78{79 int h,j;80 void * data;81 data = NULL;82 for(h = 0; h < 1; h++)83 {84 /* FIX: Set data to point to a char string */85 data = (void *)CHAR_STRING;86 }87 for(j = 0; j < 1; j++)88 {89 {90 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */91 size_t dataLen = strlen((char *)data);92 void * dest = (void *)ALLOCA((dataLen+1) * 1);93 (void)strcpy(dest, data);94 printLine((char *)dest);95 }96 }97}9899void CWE121_Stack_Based_Buffer_Overflow__CWE135_17_good()100{101 goodB2G();102 goodG2B();103}104105#endif /* OMITGOOD */106107/* Below is the main(). It is only used when building this testcase on108 its own for testing or for building a binary to use in testing binary109 analysis tools. It is not used when compiling all the testcases as one110 application, which is how source code analysis tools are tested. */111112#ifdef INCLUDEMAIN113114int main(int argc, char * argv[])115{116 /* seed randomness */117 srand( (unsigned)time(NULL) );118#ifndef OMITGOOD119 printLine("Calling good()...");120 CWE121_Stack_Based_Buffer_Overflow__CWE135_17_good();121 printLine("Finished good()");122#endif /* OMITGOOD */123#ifndef OMITBAD124 printLine("Calling bad()...");125 CWE121_Stack_Based_Buffer_Overflow__CWE135_17_bad();126 printLine("Finished bad()");127#endif /* OMITBAD */128 return 0;129}130131#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncpy_05.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml4Template File: sources-sink-05.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: ncpy12 * BadSink : Copy data to string using strncpy13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are not defined as "const", but are never22 * assigned any other value, so a tool should be able to identify that23 * reads of these will always return their initialized values.24 */25static int staticTrue = 1; /* true */26static int staticFalse = 0; /* false */2728#ifndef OMITBAD2930void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncpy_05_bad()31{✓ 32 char * data;✓ 33 data = (char *)malloc(100*sizeof(char));✓ 34 if (data == NULL) {exit(-1);}✓ 35 if(staticTrue)36 {37 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 38 memset(data, 'A', 100-1); /* fill with 'A's */✓ 39 data[100-1] = '\0'; /* null terminate */40 }41 {✓ 42 char dest[50] = "";43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 44 strncpy(dest, data, strlen(data));❗VULN✓ 45 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 46 printLine(data);✓ 47 free(data);48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */56static void goodG2B1()57{58 char * data;59 data = (char *)malloc(100*sizeof(char));60 if (data == NULL) {exit(-1);}61 if(staticFalse)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */69 memset(data, 'A', 50-1); /* fill with 'A's */70 data[50-1] = '\0'; /* null terminate */71 }72 {73 char dest[50] = "";74 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */75 strncpy(dest, data, strlen(data));76 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */77 printLine(data);78 free(data);79 }80}8182/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */83static void goodG2B2()84{85 char * data;86 data = (char *)malloc(100*sizeof(char));87 if (data == NULL) {exit(-1);}88 if(staticTrue)89 {90 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */91 memset(data, 'A', 50-1); /* fill with 'A's */92 data[50-1] = '\0'; /* null terminate */93 }94 {95 char dest[50] = "";96 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */97 strncpy(dest, data, strlen(data));98 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */99 printLine(data);100 free(data);101 }102}103104void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncpy_05_good()105{106 goodG2B1();107 goodG2B2();108}109110#endif /* OMITGOOD */111112/* Below is the main(). It is only used when building this testcase on113 * its own for testing or for building a binary to use in testing binary114 * analysis tools. It is not used when compiling all the testcases as one115 * application, which is how source code analysis tools are tested.116 */117118#ifdef INCLUDEMAIN119120int main(int argc, char * argv[])121{122 /* seed randomness */123 srand( (unsigned)time(NULL) );124#ifndef OMITGOOD125 printLine("Calling good()...");126 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncpy_05_good();127 printLine("Finished good()");128#endif /* OMITGOOD */129#ifndef OMITBAD130 printLine("Calling bad()...");131 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncpy_05_bad();132 printLine("Finished bad()");133#endif /* OMITBAD */134 return 0;135}136137#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memmove_33.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml4Template File: sources-sink-33.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sinks: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memmove_3322{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 wchar_t * &dataRef = data;✓ 30 data = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 31 if (data == NULL) {exit(-1);}32 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 33 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 34 data[100-1] = L'\0'; /* null terminate */35 {✓ 36 wchar_t * data = dataRef;37 {✓ 38 wchar_t dest[50] = L"";39 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 40 memmove(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN✓ 41 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 42 printWLine(data);✓ 43 free(data);44 }45 }46}4748#endif /* OMITBAD */4950#ifndef OMITGOOD5152/* goodG2B() uses the GoodSource with the BadSink */53static void goodG2B()54{55 wchar_t * data;56 wchar_t * &dataRef = data;57 data = (wchar_t *)malloc(100*sizeof(wchar_t));58 if (data == NULL) {exit(-1);}59 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */60 wmemset(data, L'A', 50-1); /* fill with L'A's */61 data[50-1] = L'\0'; /* null terminate */62 {63 wchar_t * data = dataRef;64 {65 wchar_t dest[50] = L"";66 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */67 memmove(dest, data, wcslen(data)*sizeof(wchar_t));68 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */69 printWLine(data);70 free(data);71 }72 }73}7475void good()76{77 goodG2B();78}7980#endif /* OMITGOOD */8182} /* close namespace */8384/* Below is the main(). It is only used when building this testcase on85 * its own for testing or for building a binary to use in testing binary86 * analysis tools. It is not used when compiling all the testcases as one87 * application, which is how source code analysis tools are tested.88 */89#ifdef INCLUDEMAIN9091using namespace CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memmove_33; /* so that we can use good and bad easily */9293int main(int argc, char * argv[])94{95 /* seed randomness */96 srand( (unsigned)time(NULL) );97#ifndef OMITGOOD98 printLine("Calling good()...");99 good();100 printLine("Finished good()");101#endif /* OMITGOOD */102#ifndef OMITBAD103 printLine("Calling bad()...");104 bad();105 printLine("Finished bad()");106#endif /* OMITBAD */107 return 0;108}109110#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_snprintf_02.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-02.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: snprintf12 * BadSink : Copy string to data using snprintf13 * Flow Variant: 02 Control flow: if(1) and if(0)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snprintf23#else24#define SNPRINTF snprintf25#endif2627#ifndef OMITBAD2829void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_snprintf_02_bad()30{✓ 31 char * data;✓ 32 char dataBadBuffer[50];✓ 33 char dataGoodBuffer[100];✓ 34 if(1)35 {36 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination37 * buffer in various memory copying functions using a "large" source buffer. */✓ 38 data = dataBadBuffer;✓ 39 data[0] = '\0'; /* null terminate */40 }41 {✓ 42 char source[100];✓ 43 memset(source, 'C', 100-1); /* fill with 'C's */✓ 44 source[100-1] = '\0'; /* null terminate */45 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 46 SNPRINTF(data, 100, "%s", source);❗VULN✓ 47 printLine(data);48 }49}5051#endif /* OMITBAD */5253#ifndef OMITGOOD5455/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */56static void goodG2B1()57{58 char * data;59 char dataBadBuffer[50];60 char dataGoodBuffer[100];61 if(0)62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */69 data = dataGoodBuffer;70 data[0] = '\0'; /* null terminate */71 }72 {73 char source[100];74 memset(source, 'C', 100-1); /* fill with 'C's */75 source[100-1] = '\0'; /* null terminate */76 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */77 SNPRINTF(data, 100, "%s", source);78 printLine(data);79 }80}8182/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */83static void goodG2B2()84{85 char * data;86 char dataBadBuffer[50];87 char dataGoodBuffer[100];88 if(1)89 {90 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */91 data = dataGoodBuffer;92 data[0] = '\0'; /* null terminate */93 }94 {95 char source[100];96 memset(source, 'C', 100-1); /* fill with 'C's */97 source[100-1] = '\0'; /* null terminate */98 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */99 SNPRINTF(data, 100, "%s", source);100 printLine(data);101 }102}103104void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_snprintf_02_good()105{106 goodG2B1();107 goodG2B2();108}109110#endif /* OMITGOOD */111112/* Below is the main(). It is only used when building this testcase on113 * its own for testing or for building a binary to use in testing binary114 * analysis tools. It is not used when compiling all the testcases as one115 * application, which is how source code analysis tools are tested.116 */117118#ifdef INCLUDEMAIN119120int main(int argc, char * argv[])121{122 /* seed randomness */123 srand( (unsigned)time(NULL) );124#ifndef OMITGOOD125 printLine("Calling good()...");126 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_snprintf_02_good();127 printLine("Finished good()");128#endif /* OMITGOOD */129#ifndef OMITBAD130 printLine("Calling bad()...");131 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_snprintf_02_bad();132 printLine("Finished bad()");133#endif /* OMITBAD */134 return 0;135}136137#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 41 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__CWE839_connect_socket_02.c3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml4Template File: sources-sinks-02.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: connect_socket Read data using a connect socket (client side)10 * GoodSource: Non-negative but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the lower bound14 * Flow Variant: 02 Control flow: if(1) and if(0)15 *16 * */1718#include "std_testcase.h"1920#ifdef _WIN3221#include <winsock2.h>22#include <windows.h>23#include <direct.h>24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */25#define CLOSE_SOCKET closesocket26#else /* NOT _WIN32 */27#include <sys/types.h>28#include <sys/socket.h>29#include <netinet/in.h>30#include <arpa/inet.h>31#include <unistd.h>32#define INVALID_SOCKET -133#define SOCKET_ERROR -134#define CLOSE_SOCKET close35#define SOCKET int36#endif3738#define TCP_PORT 2701539#define IP_ADDRESS "127.0.0.1"40#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)4142#ifndef OMITBAD4344void CWE124_Buffer_Underwrite__CWE839_connect_socket_02_bad()45{✓ 46 int data;47 /* Initialize data */✓ 48 data = -1;✓ 49 if(1)50 {51 {52#ifdef _WIN32✓ 53 WSADATA wsaData;✓ 54 int wsaDataInit = 0;55#endif✓ 56 int recvResult;✓ 57 struct sockaddr_in service;✓ 58 SOCKET connectSocket = INVALID_SOCKET;✓ 59 char inputBuffer[CHAR_ARRAY_SIZE];60 do61 {62#ifdef _WIN32✓ 63 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)64 {✓ 65 break;66 }✓ 67 wsaDataInit = 1;68#endif69 /* POTENTIAL FLAW: Read data using a connect socket */✓ 70 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);✓ 71 if (connectSocket == INVALID_SOCKET)72 {✓ 73 break;74 }✓ 75 memset(&service, 0, sizeof(service));✓ 76 service.sin_family = AF_INET;✓ 77 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);✓ 78 service.sin_port = htons(TCP_PORT);✓ 79 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)80 {✓ 81 break;82 }83 /* Abort on error or the connection was closed, make sure to recv one84 * less char than is in the recv_buf in order to append a terminator */✓ 85 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);✓ 86 if (recvResult == SOCKET_ERROR || recvResult == 0)87 {✓ 88 break;89 }90 /* NUL-terminate the string */✓ 91 inputBuffer[recvResult] = '\0';92 /* Convert to int */✓ 93 data = atoi(inputBuffer);94 }✓ 95 while (0);✓ 96 if (connectSocket != INVALID_SOCKET)97 {✓ 98 CLOSE_SOCKET(connectSocket);99 }100#ifdef _WIN32✓101 if (wsaDataInit)102 {✓103 WSACleanup();104 }105#endif106 }107 }✓108 if(1)109 {110 {✓111 int i;✓112 int buffer[10] = { 0 };113 /* POTENTIAL FLAW: Attempt to access a negative index of the array114 * This code does not check to see if the array index is negative */✓115 if (data < 10)116 {✓117 buffer[data] = 1;❗VULN118 /* Print the array values */✓119 for(i = 0; i < 10; i++)120 {✓121 printIntLine(buffer[i]);122 }123 }124 else125 {✓126 printLine("ERROR: Array index is negative.");127 }128 }129 }130}131132#endif /* OMITBAD */133134#ifndef OMITGOOD135136/* goodB2G1() - use badsource and goodsink by changing the second 1 to 0 */137static void goodB2G1()138{139 int data;140 /* Initialize data */141 data = -1;142 if(1)143 {144 {145#ifdef _WIN32146 WSADATA wsaData;147 int wsaDataInit = 0;148#endif149 int recvResult;150 struct sockaddr_in service;151 SOCKET connectSocket = INVALID_SOCKET;152 char inputBuffer[CHAR_ARRAY_SIZE];153 do154 {155#ifdef _WIN32156 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)157 {158 break;159 }160 wsaDataInit = 1;161#endif162 /* POTENTIAL FLAW: Read data using a connect socket */163 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);164 if (connectSocket == INVALID_SOCKET)165 {166 break;167 }168 memset(&service, 0, sizeof(service));169 service.sin_family = AF_INET;170 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);171 service.sin_port = htons(TCP_PORT);172 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)173 {174 break;175 }176 /* Abort on error or the connection was closed, make sure to recv one177 * less char than is in the recv_buf in order to append a terminator */178 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);179 if (recvResult == SOCKET_ERROR || recvResult == 0)180 {181 break;182 }183 /* NUL-terminate the string */184 inputBuffer[recvResult] = '\0';185 /* Convert to int */186 data = atoi(inputBuffer);187 }188 while (0);189 if (connectSocket != INVALID_SOCKET)190 {191 CLOSE_SOCKET(connectSocket);192 }193#ifdef _WIN32194 if (wsaDataInit)195 {196 WSACleanup();197 }198#endif199 }200 }201 if(0)202 {203 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */204 printLine("Benign, fixed string");205 }206 else207 {208 {209 int i;210 int buffer[10] = { 0 };211 /* FIX: Properly validate the array index and prevent a buffer underwrite */212 if (data >= 0 && data < (10))213 {214 buffer[data] = 1;215 /* Print the array values */216 for(i = 0; i < 10; i++)217 {218 printIntLine(buffer[i]);219 }220 }221 else222 {223 printLine("ERROR: Array index is out-of-bounds");224 }225 }226 }227}228229/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */230static void goodB2G2()231{232 int data;233 /* Initialize data */234 data = -1;235 if(1)236 {237 {238#ifdef _WIN32239 WSADATA wsaData;240 int wsaDataInit = 0;241#endif242 int recvResult;243 struct sockaddr_in service;244 SOCKET connectSocket = INVALID_SOCKET;245 char inputBuffer[CHAR_ARRAY_SIZE];246 do247 {248#ifdef _WIN32249 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)250 {251 break;252 }253 wsaDataInit = 1;254#endif255 /* POTENTIAL FLAW: Read data using a connect socket */256 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);257 if (connectSocket == INVALID_SOCKET)258 {259 break;260 }261 memset(&service, 0, sizeof(service));262 service.sin_family = AF_INET;263 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);264 service.sin_port = htons(TCP_PORT);265 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)266 {267 break;268 }269 /* Abort on error or the connection was closed, make sure to recv one270 * less char than is in the recv_buf in order to append a terminator */271 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);272 if (recvResult == SOCKET_ERROR || recvResult == 0)273 {274 break;275 }276 /* NUL-terminate the string */277 inputBuffer[recvResult] = '\0';278 /* Convert to int */279 data = atoi(inputBuffer);280 }281 while (0);282 if (connectSocket != INVALID_SOCKET)283 {284 CLOSE_SOCKET(connectSocket);285 }286#ifdef _WIN32287 if (wsaDataInit)288 {289 WSACleanup();290 }291#endif292 }293 }294 if(1)295 {296 {297 int i;298 int buffer[10] = { 0 };299 /* FIX: Properly validate the array index and prevent a buffer underwrite */300 if (data >= 0 && data < (10))301 {302 buffer[data] = 1;303 /* Print the array values */304 for(i = 0; i < 10; i++)305 {306 printIntLine(buffer[i]);307 }308 }309 else310 {311 printLine("ERROR: Array index is out-of-bounds");312 }313 }314 }315}316317/* goodG2B1() - use goodsource and badsink by changing the first 1 to 0 */318static void goodG2B1()319{320 int data;321 /* Initialize data */322 data = -1;323 if(0)324 {325 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */326 printLine("Benign, fixed string");327 }328 else329 {330 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to331 * access an index of the array in the sink that is out-of-bounds */332 data = 7;333 }334 if(1)335 {336 {337 int i;338 int buffer[10] = { 0 };339 /* POTENTIAL FLAW: Attempt to access a negative index of the array340 * This code does not check to see if the array index is negative */341 if (data < 10)342 {343 buffer[data] = 1;344 /* Print the array values */345 for(i = 0; i < 10; i++)346 {347 printIntLine(buffer[i]);348 }349 }350 else351 {352 printLine("ERROR: Array index is negative.");353 }354 }355 }356}357358/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */359static void goodG2B2()360{361 int data;362 /* Initialize data */363 data = -1;364 if(1)365 {366 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to367 * access an index of the array in the sink that is out-of-bounds */368 data = 7;369 }370 if(1)371 {372 {373 int i;374 int buffer[10] = { 0 };375 /* POTENTIAL FLAW: Attempt to access a negative index of the array376 * This code does not check to see if the array index is negative */377 if (data < 10)378 {379 buffer[data] = 1;380 /* Print the array values */381 for(i = 0; i < 10; i++)382 {383 printIntLine(buffer[i]);384 }385 }386 else387 {388 printLine("ERROR: Array index is negative.");389 }390 }391 }392}393394void CWE124_Buffer_Underwrite__CWE839_connect_socket_02_good()395{396 goodB2G1();397 goodB2G2();398 goodG2B1();399 goodG2B2();400}401402#endif /* OMITGOOD */403404/* Below is the main(). It is only used when building this testcase on405 its own for testing or for building a binary to use in testing binary406 analysis tools. It is not used when compiling all the testcases as one407 application, which is how source code analysis tools are tested. */408409#ifdef INCLUDEMAIN410411int main(int argc, char * argv[])412{413 /* seed randomness */414 srand( (unsigned)time(NULL) );415#ifndef OMITGOOD416 printLine("Calling good()...");417 CWE124_Buffer_Underwrite__CWE839_connect_socket_02_good();418 printLine("Finished good()");419#endif /* OMITGOOD */420#ifndef OMITBAD421 printLine("Calling bad()...");422 CWE124_Buffer_Underwrite__CWE839_connect_socket_02_bad();423 printLine("Finished bad()");424#endif /* OMITBAD */425 return 0;426}427428#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_memcpy_15.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml4Template File: sources-sink-15.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: memcpy12 * BadSink : Copy data to string using memcpy13 * Flow Variant: 15 Control flow: switch(6)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_memcpy_1522{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 data = new wchar_t[100];✓ 30 switch(6)31 {✓ 32 case 6:33 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 34 wmemset(data, L'A', 100-1); /* fill with L'A's */✓ 35 data[100-1] = L'\0'; /* null terminate */✓ 36 break;✓ 37 default:38 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 39 printLine("Benign, fixed string");✓ 40 break;41 }42 {✓ 43 wchar_t dest[50] = L"";44 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 45 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN✓ 46 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 47 printWLine(data);✓ 48 delete [] data;49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B1() - use goodsource and badsink by changing the switch to switch(5) */57static void goodG2B1()58{59 wchar_t * data;60 data = new wchar_t[100];61 switch(5)62 {63 case 6:64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */65 printLine("Benign, fixed string");66 break;67 default:68 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */69 wmemset(data, L'A', 50-1); /* fill with L'A's */70 data[50-1] = L'\0'; /* null terminate */71 break;72 }73 {74 wchar_t dest[50] = L"";75 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */76 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));77 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */78 printWLine(data);79 delete [] data;80 }81}8283/* goodG2B2() - use goodsource and badsink by reversing the blocks in the switch */84static void goodG2B2()85{86 wchar_t * data;87 data = new wchar_t[100];88 switch(6)89 {90 case 6:91 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */92 wmemset(data, L'A', 50-1); /* fill with L'A's */93 data[50-1] = L'\0'; /* null terminate */94 break;95 default:96 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */97 printLine("Benign, fixed string");98 break;99 }100 {101 wchar_t dest[50] = L"";102 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */103 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));104 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */105 printWLine(data);106 delete [] data;107 }108}109110void good()111{112 goodG2B1();113 goodG2B2();114}115116#endif /* OMITGOOD */117118} /* close namespace */119120/* Below is the main(). It is only used when building this testcase on121 its own for testing or for building a binary to use in testing binary122 analysis tools. It is not used when compiling all the testcases as one123 application, which is how source code analysis tools are tested. */124125#ifdef INCLUDEMAIN126127using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_memcpy_15; /* so that we can use good and bad easily */128129int main(int argc, char * argv[])130{131 /* seed randomness */132 srand( (unsigned)time(NULL) );133#ifndef OMITGOOD134 printLine("Calling good()...");135 good();136 printLine("Finished good()");137#endif /* OMITGOOD */138#ifndef OMITBAD139 printLine("Calling bad()...");140 bad();141 printLine("Finished bad()");142#endif /* OMITBAD */143 return 0;144}145146#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 8 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_06.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-06.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: memmove12 * BadSink : Copy int array to data using memmove13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819/* The variable below is declared "const", so a tool should be able20 * to identify that reads of this will always give its initialized value. */21static const int STATIC_CONST_FIVE = 5;2223#ifndef OMITBAD2425void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_06_bad()26{✓ 27 int * data;✓ 28 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));✓ 29 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));✓ 30 if(STATIC_CONST_FIVE==5)31 {32 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination33 * buffer in various memory copying functions using a "large" source buffer. */✓ 34 data = dataBadBuffer;35 }36 {✓ 37 int source[100] = {0}; /* fill with 0's */38 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 39 memmove(data, source, 100*sizeof(int));❗VULN✓ 40 printIntLine(data[0]);41 }42}4344#endif /* OMITBAD */4546#ifndef OMITGOOD4748/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */49static void goodG2B1()50{51 int * data;52 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));53 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));54 if(STATIC_CONST_FIVE!=5)55 {56 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */57 printLine("Benign, fixed string");58 }59 else60 {61 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */62 data = dataGoodBuffer;63 }64 {65 int source[100] = {0}; /* fill with 0's */66 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */67 memmove(data, source, 100*sizeof(int));68 printIntLine(data[0]);69 }70}7172/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */73static void goodG2B2()74{75 int * data;76 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));77 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));78 if(STATIC_CONST_FIVE==5)79 {80 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */81 data = dataGoodBuffer;82 }83 {84 int source[100] = {0}; /* fill with 0's */85 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */86 memmove(data, source, 100*sizeof(int));87 printIntLine(data[0]);88 }89}9091void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_06_good()92{93 goodG2B1();94 goodG2B2();95}9697#endif /* OMITGOOD */9899/* Below is the main(). It is only used when building this testcase on100 * its own for testing or for building a binary to use in testing binary101 * analysis tools. It is not used when compiling all the testcases as one102 * application, which is how source code analysis tools are tested.103 */104105#ifdef INCLUDEMAIN106107int main(int argc, char * argv[])108{109 /* seed randomness */110 srand( (unsigned)time(NULL) );111#ifndef OMITGOOD112 printLine("Calling good()...");113 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_06_good();114 printLine("Finished good()");115#endif /* OMITGOOD */116#ifndef OMITBAD117 printLine("Calling bad()...");118 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_06_bad();119 printLine("Finished bad()");120#endif /* OMITBAD */121 return 0;122}123124#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 24 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__wchar_t_alloca_loop_32.c3Label Definition File: CWE126_Buffer_Overread.stack.label.xml4Template File: sources-sink-32.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Set data pointer to a small buffer10 * GoodSource: Set data pointer to a large buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE126_Buffer_Overread__wchar_t_alloca_loop_32_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * *dataPtr1 = &data;✓ 27 wchar_t * *dataPtr2 = &data;✓ 28 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));✓ 29 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 30 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */✓ 31 dataBadBuffer[50-1] = L'\0'; /* null terminate */✓ 32 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */✓ 33 dataGoodBuffer[100-1] = L'\0'; /* null terminate */34 {✓ 35 wchar_t * data = *dataPtr1;36 /* FLAW: Set data pointer to a small buffer */✓ 37 data = dataBadBuffer;✓ 38 *dataPtr1 = data;39 }40 {✓ 41 wchar_t * data = *dataPtr2;42 {✓ 43 size_t i, destLen;✓ 44 wchar_t dest[100];✓ 45 wmemset(dest, L'C', 100-1);✓ 46 dest[100-1] = L'\0'; /* null terminate */✓ 47 destLen = wcslen(dest);48 /* POTENTIAL FLAW: using length of the dest where data49 * could be smaller than dest causing buffer overread */✓ 50 for (i = 0; i < destLen; i++)51 {✓ 52 dest[i] = data[i];❗VULN53 }✓ 54 dest[100-1] = L'\0';✓ 55 printWLine(dest);56 }57 }58}5960#endif /* OMITBAD */6162#ifndef OMITGOOD6364/* goodG2B() uses the GoodSource with the BadSink */65static void goodG2B()66{67 wchar_t * data;68 wchar_t * *dataPtr1 = &data;69 wchar_t * *dataPtr2 = &data;70 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));71 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));72 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */73 dataBadBuffer[50-1] = L'\0'; /* null terminate */74 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */75 dataGoodBuffer[100-1] = L'\0'; /* null terminate */76 {77 wchar_t * data = *dataPtr1;78 /* FIX: Set data pointer to a large buffer */79 data = dataGoodBuffer;80 *dataPtr1 = data;81 }82 {83 wchar_t * data = *dataPtr2;84 {85 size_t i, destLen;86 wchar_t dest[100];87 wmemset(dest, L'C', 100-1);88 dest[100-1] = L'\0'; /* null terminate */89 destLen = wcslen(dest);90 /* POTENTIAL FLAW: using length of the dest where data91 * could be smaller than dest causing buffer overread */92 for (i = 0; i < destLen; i++)93 {94 dest[i] = data[i];95 }96 dest[100-1] = L'\0';97 printWLine(dest);98 }99 }100}101102void CWE126_Buffer_Overread__wchar_t_alloca_loop_32_good()103{104 goodG2B();105}106107#endif /* OMITGOOD */108109/* Below is the main(). It is only used when building this testcase on110 * its own for testing or for building a binary to use in testing binary111 * analysis tools. It is not used when compiling all the testcases as one112 * application, which is how source code analysis tools are tested.113 */114#ifdef INCLUDEMAIN115116int main(int argc, char * argv[])117{118 /* seed randomness */119 srand( (unsigned)time(NULL) );120#ifndef OMITGOOD121 printLine("Calling good()...");122 CWE126_Buffer_Overread__wchar_t_alloca_loop_32_good();123 printLine("Finished good()");124#endif /* OMITGOOD */125#ifndef OMITBAD126 printLine("Calling bad()...");127 CWE126_Buffer_Overread__wchar_t_alloca_loop_32_bad();128 printLine("Finished bad()");129#endif /* OMITBAD */130 return 0;131}132133#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 8 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_11.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-11.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: memmove12 * BadSink : Copy int array to data using memmove13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_11_bad()22{✓ 23 int * data;✓ 24 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));✓ 25 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));✓ 26 if(globalReturnsTrue())27 {28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination29 * buffer in various memory copying functions using a "large" source buffer. */✓ 30 data = dataBadBuffer;31 }32 {✓ 33 int source[100] = {0}; /* fill with 0's */34 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 35 memmove(data, source, 100*sizeof(int));❗VULN✓ 36 printIntLine(data[0]);37 }38}3940#endif /* OMITBAD */4142#ifndef OMITGOOD4344/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */45static void goodG2B1()46{47 int * data;48 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));49 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));50 if(globalReturnsFalse())51 {52 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */53 printLine("Benign, fixed string");54 }55 else56 {57 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */58 data = dataGoodBuffer;59 }60 {61 int source[100] = {0}; /* fill with 0's */62 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */63 memmove(data, source, 100*sizeof(int));64 printIntLine(data[0]);65 }66}6768/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */69static void goodG2B2()70{71 int * data;72 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));73 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));74 if(globalReturnsTrue())75 {76 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */77 data = dataGoodBuffer;78 }79 {80 int source[100] = {0}; /* fill with 0's */81 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */82 memmove(data, source, 100*sizeof(int));83 printIntLine(data[0]);84 }85}8687void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_11_good()88{89 goodG2B1();90 goodG2B2();91}9293#endif /* OMITGOOD */9495/* Below is the main(). It is only used when building this testcase on96 * its own for testing or for building a binary to use in testing binary97 * analysis tools. It is not used when compiling all the testcases as one98 * application, which is how source code analysis tools are tested.99 */100101#ifdef INCLUDEMAIN102103int main(int argc, char * argv[])104{105 /* seed randomness */106 srand( (unsigned)time(NULL) );107#ifndef OMITGOOD108 printLine("Calling good()...");109 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_11_good();110 printLine("Finished good()");111#endif /* OMITGOOD */112#ifndef OMITBAD113 printLine("Calling bad()...");114 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_11_bad();115 printLine("Finished bad()");116#endif /* OMITBAD */117 return 0;118}119120#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__malloc_wchar_t_ncpy_11.c3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml4Template File: sources-sink-11.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: ncpy12 * BadSink : Copy string to data using wcsncpy13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__malloc_wchar_t_ncpy_11_bad()24{✓ 25 wchar_t * data;✓ 26 data = NULL;✓ 27 if(globalReturnsTrue())28 {29 {✓ 30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));✓ 31 if (dataBuffer == NULL) {exit(-1);}✓ 32 wmemset(dataBuffer, L'A', 100-1);✓ 33 dataBuffer[100-1] = L'\0';34 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 35 data = dataBuffer - 8;36 }37 }38 {✓ 39 wchar_t source[100];✓ 40 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 41 source[100-1] = L'\0'; /* null terminate */42 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 43 wcsncpy(data, source, 100-1);❗VULN44 /* Ensure the destination buffer is null terminated */✓ 45 data[100-1] = L'\0';✓ 46 printWLine(data);47 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location48 * returned by malloc() so can't safely call free() on it */49 }50}5152#endif /* OMITBAD */5354#ifndef OMITGOOD5556/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */57static void goodG2B1()58{59 wchar_t * data;60 data = NULL;61 if(globalReturnsFalse())62 {63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */64 printLine("Benign, fixed string");65 }66 else67 {68 {69 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));70 if (dataBuffer == NULL) {exit(-1);}71 wmemset(dataBuffer, L'A', 100-1);72 dataBuffer[100-1] = L'\0';73 /* FIX: Set data pointer to the allocated memory buffer */74 data = dataBuffer;75 }76 }77 {78 wchar_t source[100];79 wmemset(source, L'C', 100-1); /* fill with 'C's */80 source[100-1] = L'\0'; /* null terminate */81 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */82 wcsncpy(data, source, 100-1);83 /* Ensure the destination buffer is null terminated */84 data[100-1] = L'\0';85 printWLine(data);86 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location87 * returned by malloc() so can't safely call free() on it */88 }89}9091/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */92static void goodG2B2()93{94 wchar_t * data;95 data = NULL;96 if(globalReturnsTrue())97 {98 {99 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));100 if (dataBuffer == NULL) {exit(-1);}101 wmemset(dataBuffer, L'A', 100-1);102 dataBuffer[100-1] = L'\0';103 /* FIX: Set data pointer to the allocated memory buffer */104 data = dataBuffer;105 }106 }107 {108 wchar_t source[100];109 wmemset(source, L'C', 100-1); /* fill with 'C's */110 source[100-1] = L'\0'; /* null terminate */111 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */112 wcsncpy(data, source, 100-1);113 /* Ensure the destination buffer is null terminated */114 data[100-1] = L'\0';115 printWLine(data);116 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location117 * returned by malloc() so can't safely call free() on it */118 }119}120121void CWE124_Buffer_Underwrite__malloc_wchar_t_ncpy_11_good()122{123 goodG2B1();124 goodG2B2();125}126127#endif /* OMITGOOD */128129/* Below is the main(). It is only used when building this testcase on130 * its own for testing or for building a binary to use in testing binary131 * analysis tools. It is not used when compiling all the testcases as one132 * application, which is how source code analysis tools are tested.133 */134135#ifdef INCLUDEMAIN136137int main(int argc, char * argv[])138{139 /* seed randomness */140 srand( (unsigned)time(NULL) );141#ifndef OMITGOOD142 printLine("Calling good()...");143 CWE124_Buffer_Underwrite__malloc_wchar_t_ncpy_11_good();144 printLine("Finished good()");145#endif /* OMITGOOD */146#ifndef OMITBAD147 printLine("Calling bad()...");148 CWE124_Buffer_Underwrite__malloc_wchar_t_ncpy_11_bad();149 printLine("Finished bad()");150#endif /* OMITBAD */151 return 0;152}153154#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__wchar_t_declare_ncpy_14.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-14.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: ncpy12 * BadSink : Copy data to string using wcsncpy13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__wchar_t_declare_ncpy_14_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t dataBuffer[100];✓ 27 wmemset(dataBuffer, L'A', 100-1);✓ 28 dataBuffer[100-1] = L'\0';✓ 29 if(globalFive==5)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;33 }34 {✓ 35 wchar_t dest[100];✓ 36 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 37 dest[100-1] = L'\0'; /* null terminate */38 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 39 wcsncpy(dest, data, wcslen(dest));❗VULN40 /* Ensure null termination */✓ 41 dest[100-1] = L'\0';✓ 42 printWLine(dest);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */51static void goodG2B1()52{53 wchar_t * data;54 wchar_t dataBuffer[100];55 wmemset(dataBuffer, L'A', 100-1);56 dataBuffer[100-1] = L'\0';57 if(globalFive!=5)58 {59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */60 printLine("Benign, fixed string");61 }62 else63 {64 /* FIX: Set data pointer to the allocated memory buffer */65 data = dataBuffer;66 }67 {68 wchar_t dest[100];69 wmemset(dest, L'C', 100-1); /* fill with 'C's */70 dest[100-1] = L'\0'; /* null terminate */71 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */72 wcsncpy(dest, data, wcslen(dest));73 /* Ensure null termination */74 dest[100-1] = L'\0';75 printWLine(dest);76 }77}7879/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */80static void goodG2B2()81{82 wchar_t * data;83 wchar_t dataBuffer[100];84 wmemset(dataBuffer, L'A', 100-1);85 dataBuffer[100-1] = L'\0';86 if(globalFive==5)87 {88 /* FIX: Set data pointer to the allocated memory buffer */89 data = dataBuffer;90 }91 {92 wchar_t dest[100];93 wmemset(dest, L'C', 100-1); /* fill with 'C's */94 dest[100-1] = L'\0'; /* null terminate */95 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */96 wcsncpy(dest, data, wcslen(dest));97 /* Ensure null termination */98 dest[100-1] = L'\0';99 printWLine(dest);100 }101}102103void CWE127_Buffer_Underread__wchar_t_declare_ncpy_14_good()104{105 goodG2B1();106 goodG2B2();107}108109#endif /* OMITGOOD */110111/* Below is the main(). It is only used when building this testcase on112 * its own for testing or for building a binary to use in testing binary113 * analysis tools. It is not used when compiling all the testcases as one114 * application, which is how source code analysis tools are tested.115 */116117#ifdef INCLUDEMAIN118119int main(int argc, char * argv[])120{121 /* seed randomness */122 srand( (unsigned)time(NULL) );123#ifndef OMITGOOD124 printLine("Calling good()...");125 CWE127_Buffer_Underread__wchar_t_declare_ncpy_14_good();126 printLine("Finished good()");127#endif /* OMITGOOD */128#ifndef OMITBAD129 printLine("Calling bad()...");130 CWE127_Buffer_Underread__wchar_t_declare_ncpy_14_bad();131 printLine("Finished bad()");132#endif /* OMITBAD */133 return 0;134}135136#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_char_alloca_loop_07.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Point data to a buffer that does not have space for a NULL terminator10 * GoodSource: Point data to a buffer that includes space for a NULL terminator11 * Sink: loop12 * BadSink : Copy array to data using a loop13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526/* The variable below is not declared "const", but is never assigned27 * any other value so a tool should be able to identify that reads of28 * this will always give its initialized value.29 */30static int staticFive = 5;3132#ifndef OMITBAD3334void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_alloca_loop_07_bad()35{✓ 36 char * data;✓ 37 char * dataBadBuffer = (char *)ALLOCA((10)*sizeof(char));✓ 38 char * dataGoodBuffer = (char *)ALLOCA((10+1)*sizeof(char));✓ 39 if(staticFive==5)40 {41 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing42 * string copies in the sinks */✓ 43 data = dataBadBuffer;✓ 44 data[0] = '\0'; /* null terminate */45 }46 {✓ 47 char source[10+1] = SRC_STRING;✓ 48 size_t i, sourceLen;✓ 49 sourceLen = strlen(source);50 /* Copy length + 1 to include NUL terminator from source */51 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 52 for (i = 0; i < sourceLen + 1; i++)53 {✓ 54 data[i] = source[i];❗VULN55 }✓ 56 printLine(data);57 }58}5960#endif /* OMITBAD */6162#ifndef OMITGOOD6364/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */65static void goodG2B1()66{67 char * data;68 char * dataBadBuffer = (char *)ALLOCA((10)*sizeof(char));69 char * dataGoodBuffer = (char *)ALLOCA((10+1)*sizeof(char));70 if(staticFive!=5)71 {72 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */73 printLine("Benign, fixed string");74 }75 else76 {77 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing78 * string copies in the sinks */79 data = dataGoodBuffer;80 data[0] = '\0'; /* null terminate */81 }82 {83 char source[10+1] = SRC_STRING;84 size_t i, sourceLen;85 sourceLen = strlen(source);86 /* Copy length + 1 to include NUL terminator from source */87 /* POTENTIAL FLAW: data may not have enough space to hold source */88 for (i = 0; i < sourceLen + 1; i++)89 {90 data[i] = source[i];91 }92 printLine(data);93 }94}9596/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */97static void goodG2B2()98{99 char * data;100 char * dataBadBuffer = (char *)ALLOCA((10)*sizeof(char));101 char * dataGoodBuffer = (char *)ALLOCA((10+1)*sizeof(char));102 if(staticFive==5)103 {104 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing105 * string copies in the sinks */106 data = dataGoodBuffer;107 data[0] = '\0'; /* null terminate */108 }109 {110 char source[10+1] = SRC_STRING;111 size_t i, sourceLen;112 sourceLen = strlen(source);113 /* Copy length + 1 to include NUL terminator from source */114 /* POTENTIAL FLAW: data may not have enough space to hold source */115 for (i = 0; i < sourceLen + 1; i++)116 {117 data[i] = source[i];118 }119 printLine(data);120 }121}122123void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_alloca_loop_07_good()124{125 goodG2B1();126 goodG2B2();127}128129#endif /* OMITGOOD */130131/* Below is the main(). It is only used when building this testcase on132 * its own for testing or for building a binary to use in testing binary133 * analysis tools. It is not used when compiling all the testcases as one134 * application, which is how source code analysis tools are tested.135 */136137#ifdef INCLUDEMAIN138139int main(int argc, char * argv[])140{141 /* seed randomness */142 srand( (unsigned)time(NULL) );143#ifndef OMITGOOD144 printLine("Calling good()...");145 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_alloca_loop_07_good();146 printLine("Finished good()");147#endif /* OMITGOOD */148#ifndef OMITBAD149 printLine("Calling bad()...");150 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_alloca_loop_07_bad();151 printLine("Finished bad()");152#endif /* OMITBAD */153 return 0;154}155156#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 2 predicted, 2 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* Error: Could not load file CWE123_Write_What_Where_Condition__fgets_61a.c: File CWE123_Write_What_Where_Condition__fgets_61a.c not found in any subfolder of /home/nimana11/Thesis/codes/VulExplainerExp-84ED_2/datasets/buffer overflow/function/testcases/CWE123_Write_What_Where_Condition */
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_07.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Point data to a buffer that does not have space for a NULL terminator10 * GoodSource: Point data to a buffer that includes space for a NULL terminator11 * Sink: loop12 * BadSink : Copy array to data using a loop13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING L"AAAAAAAAAA"2526/* The variable below is not declared "const", but is never assigned27 * any other value so a tool should be able to identify that reads of28 * this will always give its initialized value.29 */30static int staticFive = 5;3132#ifndef OMITBAD3334void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_07_bad()35{✓ 36 wchar_t * data;✓ 37 wchar_t dataBadBuffer[10];✓ 38 wchar_t dataGoodBuffer[10+1];✓ 39 if(staticFive==5)40 {41 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing42 * string copies in the sinks */✓ 43 data = dataBadBuffer;✓ 44 data[0] = L'\0'; /* null terminate */45 }46 {✓ 47 wchar_t source[10+1] = SRC_STRING;✓ 48 size_t i, sourceLen;✓ 49 sourceLen = wcslen(source);50 /* Copy length + 1 to include NUL terminator from source */51 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 52 for (i = 0; i < sourceLen + 1; i++)53 {✓ 54 data[i] = source[i];❗VULN55 }✓ 56 printWLine(data);57 }58}5960#endif /* OMITBAD */6162#ifndef OMITGOOD6364/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */65static void goodG2B1()66{67 wchar_t * data;68 wchar_t dataBadBuffer[10];69 wchar_t dataGoodBuffer[10+1];70 if(staticFive!=5)71 {72 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */73 printLine("Benign, fixed string");74 }75 else76 {77 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing78 * string copies in the sinks */79 data = dataGoodBuffer;80 data[0] = L'\0'; /* null terminate */81 }82 {83 wchar_t source[10+1] = SRC_STRING;84 size_t i, sourceLen;85 sourceLen = wcslen(source);86 /* Copy length + 1 to include NUL terminator from source */87 /* POTENTIAL FLAW: data may not have enough space to hold source */88 for (i = 0; i < sourceLen + 1; i++)89 {90 data[i] = source[i];91 }92 printWLine(data);93 }94}9596/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */97static void goodG2B2()98{99 wchar_t * data;100 wchar_t dataBadBuffer[10];101 wchar_t dataGoodBuffer[10+1];102 if(staticFive==5)103 {104 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing105 * string copies in the sinks */106 data = dataGoodBuffer;107 data[0] = L'\0'; /* null terminate */108 }109 {110 wchar_t source[10+1] = SRC_STRING;111 size_t i, sourceLen;112 sourceLen = wcslen(source);113 /* Copy length + 1 to include NUL terminator from source */114 /* POTENTIAL FLAW: data may not have enough space to hold source */115 for (i = 0; i < sourceLen + 1; i++)116 {117 data[i] = source[i];118 }119 printWLine(data);120 }121}122123void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_07_good()124{125 goodG2B1();126 goodG2B2();127}128129#endif /* OMITGOOD */130131/* Below is the main(). It is only used when building this testcase on132 * its own for testing or for building a binary to use in testing binary133 * analysis tools. It is not used when compiling all the testcases as one134 * application, which is how source code analysis tools are tested.135 */136137#ifdef INCLUDEMAIN138139int main(int argc, char * argv[])140{141 /* seed randomness */142 srand( (unsigned)time(NULL) );143#ifndef OMITGOOD144 printLine("Calling good()...");145 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_07_good();146 printLine("Finished good()");147#endif /* OMITGOOD */148#ifndef OMITBAD149 printLine("Calling bad()...");150 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_07_bad();151 printLine("Finished bad()");152#endif /* OMITBAD */153 return 0;154}155156#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_07.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: memcpy12 * BadSink : Copy twoIntsStruct array to data using memcpy13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819/* The variable below is not declared "const", but is never assigned20 * any other value so a tool should be able to identify that reads of21 * this will always give its initialized value.22 */23static int staticFive = 5;2425#ifndef OMITBAD2627void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_07_bad()28{✓ 29 twoIntsStruct * data;✓ 30 twoIntsStruct dataBadBuffer[50];✓ 31 twoIntsStruct dataGoodBuffer[100];✓ 32 if(staticFive==5)33 {34 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination35 * buffer in various memory copying functions using a "large" source buffer. */✓ 36 data = dataBadBuffer;37 }38 {✓ 39 twoIntsStruct source[100];40 {✓ 41 size_t i;42 /* Initialize array */✓ 43 for (i = 0; i < 100; i++)44 {✓ 45 source[i].intOne = 0;✓ 46 source[i].intTwo = 0;47 }48 }49 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 50 memcpy(data, source, 100*sizeof(twoIntsStruct));❗VULN✓ 51 printStructLine(&data[0]);52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */60static void goodG2B1()61{62 twoIntsStruct * data;63 twoIntsStruct dataBadBuffer[50];64 twoIntsStruct dataGoodBuffer[100];65 if(staticFive!=5)66 {67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */68 printLine("Benign, fixed string");69 }70 else71 {72 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */73 data = dataGoodBuffer;74 }75 {76 twoIntsStruct source[100];77 {78 size_t i;79 /* Initialize array */80 for (i = 0; i < 100; i++)81 {82 source[i].intOne = 0;83 source[i].intTwo = 0;84 }85 }86 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */87 memcpy(data, source, 100*sizeof(twoIntsStruct));88 printStructLine(&data[0]);89 }90}9192/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */93static void goodG2B2()94{95 twoIntsStruct * data;96 twoIntsStruct dataBadBuffer[50];97 twoIntsStruct dataGoodBuffer[100];98 if(staticFive==5)99 {100 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */101 data = dataGoodBuffer;102 }103 {104 twoIntsStruct source[100];105 {106 size_t i;107 /* Initialize array */108 for (i = 0; i < 100; i++)109 {110 source[i].intOne = 0;111 source[i].intTwo = 0;112 }113 }114 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */115 memcpy(data, source, 100*sizeof(twoIntsStruct));116 printStructLine(&data[0]);117 }118}119120void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_07_good()121{122 goodG2B1();123 goodG2B2();124}125126#endif /* OMITGOOD */127128/* Below is the main(). It is only used when building this testcase on129 * its own for testing or for building a binary to use in testing binary130 * analysis tools. It is not used when compiling all the testcases as one131 * application, which is how source code analysis tools are tested.132 */133134#ifdef INCLUDEMAIN135136int main(int argc, char * argv[])137{138 /* seed randomness */139 srand( (unsigned)time(NULL) );140#ifndef OMITGOOD141 printLine("Calling good()...");142 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_07_good();143 printLine("Finished good()");144#endif /* OMITGOOD */145#ifndef OMITBAD146 printLine("Calling bad()...");147 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_07_bad();148 printLine("Finished bad()");149#endif /* OMITBAD */150 return 0;151}152153#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 44 | Sink Nodes: 2 predicted, 2 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* Error: Could not load file CWE123_Write_What_Where_Condition__listen_socket_14.c: File CWE123_Write_What_Where_Condition__listen_socket_14.c not found in any subfolder of /home/nimana11/Thesis/codes/VulExplainerExp-84ED_2/datasets/buffer overflow/function/testcases/CWE123_Write_What_Where_Condition */
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__char_declare_memmove_06.c3Label Definition File: CWE126_Buffer_Overread.stack.label.xml4Template File: sources-sink-06.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Set data pointer to a small buffer10 * GoodSource: Set data pointer to a large buffer11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is declared "const", so a tool should be able22 * to identify that reads of this will always give its initialized value. */23static const int STATIC_CONST_FIVE = 5;2425#ifndef OMITBAD2627void CWE126_Buffer_Overread__char_declare_memmove_06_bad()28{✓ 29 char * data;✓ 30 char dataBadBuffer[50];✓ 31 char dataGoodBuffer[100];✓ 32 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */✓ 33 dataBadBuffer[50-1] = '\0'; /* null terminate */✓ 34 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */✓ 35 dataGoodBuffer[100-1] = '\0'; /* null terminate */✓ 36 if(STATIC_CONST_FIVE==5)37 {38 /* FLAW: Set data pointer to a small buffer */✓ 39 data = dataBadBuffer;40 }41 {✓ 42 char dest[100];✓ 43 memset(dest, 'C', 100-1);✓ 44 dest[100-1] = '\0'; /* null terminate */45 /* POTENTIAL FLAW: using memmove with the length of the dest where data46 * could be smaller than dest causing buffer overread */✓ 47 memmove(dest, data, strlen(dest)*sizeof(char));❗VULN✓ 48 dest[100-1] = '\0';✓ 49 printLine(dest);50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */58static void goodG2B1()59{60 char * data;61 char dataBadBuffer[50];62 char dataGoodBuffer[100];63 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */64 dataBadBuffer[50-1] = '\0'; /* null terminate */65 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */66 dataGoodBuffer[100-1] = '\0'; /* null terminate */67 if(STATIC_CONST_FIVE!=5)68 {69 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */70 printLine("Benign, fixed string");71 }72 else73 {74 /* FIX: Set data pointer to a large buffer */75 data = dataGoodBuffer;76 }77 {78 char dest[100];79 memset(dest, 'C', 100-1);80 dest[100-1] = '\0'; /* null terminate */81 /* POTENTIAL FLAW: using memmove with the length of the dest where data82 * could be smaller than dest causing buffer overread */83 memmove(dest, data, strlen(dest)*sizeof(char));84 dest[100-1] = '\0';85 printLine(dest);86 }87}8889/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */90static void goodG2B2()91{92 char * data;93 char dataBadBuffer[50];94 char dataGoodBuffer[100];95 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */96 dataBadBuffer[50-1] = '\0'; /* null terminate */97 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */98 dataGoodBuffer[100-1] = '\0'; /* null terminate */99 if(STATIC_CONST_FIVE==5)100 {101 /* FIX: Set data pointer to a large buffer */102 data = dataGoodBuffer;103 }104 {105 char dest[100];106 memset(dest, 'C', 100-1);107 dest[100-1] = '\0'; /* null terminate */108 /* POTENTIAL FLAW: using memmove with the length of the dest where data109 * could be smaller than dest causing buffer overread */110 memmove(dest, data, strlen(dest)*sizeof(char));111 dest[100-1] = '\0';112 printLine(dest);113 }114}115116void CWE126_Buffer_Overread__char_declare_memmove_06_good()117{118 goodG2B1();119 goodG2B2();120}121122#endif /* OMITGOOD */123124/* Below is the main(). It is only used when building this testcase on125 * its own for testing or for building a binary to use in testing binary126 * analysis tools. It is not used when compiling all the testcases as one127 * application, which is how source code analysis tools are tested.128 */129130#ifdef INCLUDEMAIN131132int main(int argc, char * argv[])133{134 /* seed randomness */135 srand( (unsigned)time(NULL) );136#ifndef OMITGOOD137 printLine("Calling good()...");138 CWE126_Buffer_Overread__char_declare_memmove_06_good();139 printLine("Finished good()");140#endif /* OMITGOOD */141#ifndef OMITBAD142 printLine("Calling bad()...");143 CWE126_Buffer_Overread__char_declare_memmove_06_bad();144 printLine("Finished bad()");145#endif /* OMITBAD */146 return 0;147}148149#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__new_char_loop_21.cpp3Label Definition File: CWE127_Buffer_Underread__new.label.xml4Template File: sources-sink-21.tmpl.cpp5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE127_Buffer_Underread__new_char_loop_2122{2324#ifndef OMITBAD2526/* The static variable below is used to drive control flow in the source function */27static int badStatic = 0;2829static char * badSource(char * data)30{31 if(badStatic)32 {33 {34 char * dataBuffer = new char[100];35 memset(dataBuffer, 'A', 100-1);36 dataBuffer[100-1] = '\0';37 /* FLAW: Set data pointer to before the allocated memory buffer */38 data = dataBuffer - 8;39 }40 }41 return data;42}4344void bad()45{✓ 46 char * data;✓ 47 data = NULL;✓ 48 badStatic = 1; /* true */✓ 49 data = badSource(data);50 {✓ 51 size_t i;✓ 52 char dest[100];✓ 53 memset(dest, 'C', 100-1); /* fill with 'C's */✓ 54 dest[100-1] = '\0'; /* null terminate */55 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 56 for (i = 0; i < 100; i++)57 {✓ 58 dest[i] = data[i];❗VULN59 }60 /* Ensure null termination */✓ 61 dest[100-1] = '\0';✓ 62 printLine(dest);63 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location64 * returned by new [] so can't safely call delete [] on it */65 }✓ 66 ;67}6869#endif /* OMITBAD */7071#ifndef OMITGOOD7273/* The static variables below are used to drive control flow in the source functions. */74static int goodG2B1Static = 0;75static int goodG2B2Static = 0;7677/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */78static char * goodG2B1Source(char * data)79{80 if(goodG2B1Static)81 {82 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */83 printLine("Benign, fixed string");84 }85 else86 {87 {88 char * dataBuffer = new char[100];89 memset(dataBuffer, 'A', 100-1);90 dataBuffer[100-1] = '\0';91 /* FIX: Set data pointer to the allocated memory buffer */92 data = dataBuffer;93 }94 }95 return data;96}9798static void goodG2B1()99{100 char * data;101 data = NULL;102 goodG2B1Static = 0; /* false */103 data = goodG2B1Source(data);104 {105 size_t i;106 char dest[100];107 memset(dest, 'C', 100-1); /* fill with 'C's */108 dest[100-1] = '\0'; /* null terminate */109 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */110 for (i = 0; i < 100; i++)111 {112 dest[i] = data[i];113 }114 /* Ensure null termination */115 dest[100-1] = '\0';116 printLine(dest);117 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location118 * returned by new [] so can't safely call delete [] on it */119 }120 ;121}122123/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */124static char * goodG2B2Source(char * data)125{126 if(goodG2B2Static)127 {128 {129 char * dataBuffer = new char[100];130 memset(dataBuffer, 'A', 100-1);131 dataBuffer[100-1] = '\0';132 /* FIX: Set data pointer to the allocated memory buffer */133 data = dataBuffer;134 }135 }136 return data;137}138139static void goodG2B2()140{141 char * data;142 data = NULL;143 goodG2B2Static = 1; /* true */144 data = goodG2B2Source(data);145 {146 size_t i;147 char dest[100];148 memset(dest, 'C', 100-1); /* fill with 'C's */149 dest[100-1] = '\0'; /* null terminate */150 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */151 for (i = 0; i < 100; i++)152 {153 dest[i] = data[i];154 }155 /* Ensure null termination */156 dest[100-1] = '\0';157 printLine(dest);158 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location159 * returned by new [] so can't safely call delete [] on it */160 }161 ;162}163164void good()165{166 goodG2B1();167 goodG2B2();168}169170#endif /* OMITGOOD */171172} /* close namespace */173174/* Below is the main(). It is only used when building this testcase on175 its own for testing or for building a binary to use in testing binary176 analysis tools. It is not used when compiling all the testcases as one177 application, which is how source code analysis tools are tested. */178179#ifdef INCLUDEMAIN180181using namespace CWE127_Buffer_Underread__new_char_loop_21; /* so that we can use good and bad easily */182183int main(int argc, char * argv[])184{185 /* seed randomness */186 srand( (unsigned)time(NULL) );187#ifndef OMITGOOD188 printLine("Calling good()...");189 good();190 printLine("Finished good()");191#endif /* OMITGOOD */192#ifndef OMITBAD193 printLine("Calling bad()...");194 bad();195 printLine("Finished bad()");196#endif /* OMITBAD */197 return 0;198}199200#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml4Template File: sources-sink-34.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator10 * GoodSource: Allocate enough memory for a string and the NULL terminator11 * Sinks: memmove12 * BadSink : Copy string to data using memmove()13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)14 *15 * */1617#include "std_testcase.h"1819#ifndef _WIN3220#include <wchar.h>21#endif2223/* MAINTENANCE NOTE: The length of this string should equal the 10 */24#define SRC_STRING "AAAAAAAAAA"2526typedef union27{28 char * unionFirst;29 char * unionSecond;30} CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_unionType;3132#ifndef OMITBAD3334void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_bad()35{✓ 36 char * data;✓ 37 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_unionType myUnion;✓ 38 data = NULL;39 /* FLAW: Did not leave space for a null terminator */✓ 40 data = (char *)malloc(10*sizeof(char));✓ 41 if (data == NULL) {exit(-1);}✓ 42 myUnion.unionFirst = data;43 {✓ 44 char * data = myUnion.unionSecond;45 {✓ 46 char source[10+1] = SRC_STRING;47 /* Copy length + 1 to include NUL terminator from source */48 /* POTENTIAL FLAW: data may not have enough space to hold source */✓ 49 memmove(data, source, (strlen(source) + 1) * sizeof(char));❗VULN✓ 50 printLine(data);✓ 51 free(data);52 }53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B() uses the GoodSource with the BadSink */61static void goodG2B()62{63 char * data;64 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_unionType myUnion;65 data = NULL;66 /* FIX: Allocate space for a null terminator */67 data = (char *)malloc((10+1)*sizeof(char));68 if (data == NULL) {exit(-1);}69 myUnion.unionFirst = data;70 {71 char * data = myUnion.unionSecond;72 {73 char source[10+1] = SRC_STRING;74 /* Copy length + 1 to include NUL terminator from source */75 /* POTENTIAL FLAW: data may not have enough space to hold source */76 memmove(data, source, (strlen(source) + 1) * sizeof(char));77 printLine(data);78 free(data);79 }80 }81}8283void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_good()84{85 goodG2B();86}8788#endif /* OMITGOOD */8990/* Below is the main(). It is only used when building this testcase on91 * its own for testing or for building a binary to use in testing binary92 * analysis tools. It is not used when compiling all the testcases as one93 * application, which is how source code analysis tools are tested.94 */95#ifdef INCLUDEMAIN9697int main(int argc, char * argv[])98{99 /* seed randomness */100 srand( (unsigned)time(NULL) );101#ifndef OMITGOOD102 printLine("Calling good()...");103 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_good();104 printLine("Finished good()");105#endif /* OMITGOOD */106#ifndef OMITBAD107 printLine("Calling bad()...");108 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_bad();109 printLine("Finished bad()");110#endif /* OMITBAD */111 return 0;112}113114#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 7 predicted, 2 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_02.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__sizeof.label.xml4Template File: sources-sink-02.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize the source buffer using the size of a pointer10 * GoodSource: Initialize the source buffer using the size of the DataElementType11 * Sink:12 * BadSink : Print then free data13 * Flow Variant: 02 Control flow: if(1) and if(0)14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_02_bad()22{✓ 23 int64_t * data;24 /* Initialize data */✓ 25 data = NULL;✗ 26 if(1)27 {28 /* INCIDENTAL: CWE-467 (Use of sizeof() on a pointer type) */29 /* FLAW: Using sizeof the pointer and not the data type in malloc() */✗ 30 data = (int64_t *)malloc(sizeof(data));✗ 31 if (data == NULL) {exit(-1);}✓ 32 *data = 2147483643LL;❗VULN33 }34 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */✓ 35 printLongLongLine(*data);❗VULN✗ 36 free(data);37}3839#endif /* OMITBAD */4041#ifndef OMITGOOD4243/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */44static void goodG2B1()45{46 int64_t * data;47 /* Initialize data */48 data = NULL;49 if(0)50 {51 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */52 printLine("Benign, fixed string");53 }54 else55 {56 /* FIX: Using sizeof the data type in malloc() */57 data = (int64_t *)malloc(sizeof(*data));58 if (data == NULL) {exit(-1);}59 *data = 2147483643LL;60 }61 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */62 printLongLongLine(*data);63 free(data);64}6566/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */67static void goodG2B2()68{69 int64_t * data;70 /* Initialize data */71 data = NULL;72 if(1)73 {74 /* FIX: Using sizeof the data type in malloc() */75 data = (int64_t *)malloc(sizeof(*data));76 if (data == NULL) {exit(-1);}77 *data = 2147483643LL;78 }79 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */80 printLongLongLine(*data);81 free(data);82}8384void CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_02_good()85{86 goodG2B1();87 goodG2B2();88}8990#endif /* OMITGOOD */9192/* Below is the main(). It is only used when building this testcase on93 * its own for testing or for building a binary to use in testing binary94 * analysis tools. It is not used when compiling all the testcases as one95 * application, which is how source code analysis tools are tested.96 */9798#ifdef INCLUDEMAIN99100int main(int argc, char * argv[])101{102 /* seed randomness */103 srand( (unsigned)time(NULL) );104#ifndef OMITGOOD105 printLine("Calling good()...");106 CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_02_good();107 printLine("Finished good()");108#endif /* OMITGOOD */109#ifndef OMITBAD110 printLine("Calling bad()...");111 CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_02_bad();112 printLine("Finished bad()");113#endif /* OMITBAD */114 return 0;115}116117#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 21 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_04.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE129.label.xml4Template File: sources-sinks-04.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: rand Set data to result of rand(), which may be zero10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)15 *16 * */1718#include "std_testcase.h"1920/* The two variables below are declared "const", so a tool should21 be able to identify that reads of these will always return their22 initialized values. */23static const int STATIC_CONST_TRUE = 1; /* true */24static const int STATIC_CONST_FALSE = 0; /* false */2526#ifndef OMITBAD2728void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_04_bad()29{✓ 30 int data;31 /* Initialize data */✓ 32 data = -1;✓ 33 if(STATIC_CONST_TRUE)34 {35 /* POTENTIAL FLAW: Set data to a random value */✓ 36 data = RAND32();37 }✓ 38 if(STATIC_CONST_TRUE)39 {40 {✓ 41 int i;✓ 42 int * buffer = (int *)malloc(10 * sizeof(int));✓ 43 if (buffer == NULL) {exit(-1);}44 /* initialize buffer */✓ 45 for (i = 0; i < 10; i++)46 {✓ 47 buffer[i] = 0;48 }49 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound50 * This code does check to see if the array index is negative */✓ 51 if (data >= 0)52 {✓ 53 buffer[data] = 1;❗VULN54 /* Print the array values */✓ 55 for(i = 0; i < 10; i++)56 {✓ 57 printIntLine(buffer[i]);58 }59 }60 else61 {✓ 62 printLine("ERROR: Array index is negative.");63 }✓ 64 free(buffer);65 }66 }67}6869#endif /* OMITBAD */7071#ifndef OMITGOOD7273/* goodB2G1() - use badsource and goodsink by changing the second STATIC_CONST_TRUE to STATIC_CONST_FALSE */74static void goodB2G1()75{76 int data;77 /* Initialize data */78 data = -1;79 if(STATIC_CONST_TRUE)80 {81 /* POTENTIAL FLAW: Set data to a random value */82 data = RAND32();83 }84 if(STATIC_CONST_FALSE)85 {86 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */87 printLine("Benign, fixed string");88 }89 else90 {91 {92 int i;93 int * buffer = (int *)malloc(10 * sizeof(int));94 if (buffer == NULL) {exit(-1);}95 /* initialize buffer */96 for (i = 0; i < 10; i++)97 {98 buffer[i] = 0;99 }100 /* FIX: Properly validate the array index and prevent a buffer overflow */101 if (data >= 0 && data < (10))102 {103 buffer[data] = 1;104 /* Print the array values */105 for(i = 0; i < 10; i++)106 {107 printIntLine(buffer[i]);108 }109 }110 else111 {112 printLine("ERROR: Array index is out-of-bounds");113 }114 free(buffer);115 }116 }117}118119/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */120static void goodB2G2()121{122 int data;123 /* Initialize data */124 data = -1;125 if(STATIC_CONST_TRUE)126 {127 /* POTENTIAL FLAW: Set data to a random value */128 data = RAND32();129 }130 if(STATIC_CONST_TRUE)131 {132 {133 int i;134 int * buffer = (int *)malloc(10 * sizeof(int));135 if (buffer == NULL) {exit(-1);}136 /* initialize buffer */137 for (i = 0; i < 10; i++)138 {139 buffer[i] = 0;140 }141 /* FIX: Properly validate the array index and prevent a buffer overflow */142 if (data >= 0 && data < (10))143 {144 buffer[data] = 1;145 /* Print the array values */146 for(i = 0; i < 10; i++)147 {148 printIntLine(buffer[i]);149 }150 }151 else152 {153 printLine("ERROR: Array index is out-of-bounds");154 }155 free(buffer);156 }157 }158}159160/* goodG2B1() - use goodsource and badsink by changing the first STATIC_CONST_TRUE to STATIC_CONST_FALSE */161static void goodG2B1()162{163 int data;164 /* Initialize data */165 data = -1;166 if(STATIC_CONST_FALSE)167 {168 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */169 printLine("Benign, fixed string");170 }171 else172 {173 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to174 * access an index of the array in the sink that is out-of-bounds */175 data = 7;176 }177 if(STATIC_CONST_TRUE)178 {179 {180 int i;181 int * buffer = (int *)malloc(10 * sizeof(int));182 if (buffer == NULL) {exit(-1);}183 /* initialize buffer */184 for (i = 0; i < 10; i++)185 {186 buffer[i] = 0;187 }188 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound189 * This code does check to see if the array index is negative */190 if (data >= 0)191 {192 buffer[data] = 1;193 /* Print the array values */194 for(i = 0; i < 10; i++)195 {196 printIntLine(buffer[i]);197 }198 }199 else200 {201 printLine("ERROR: Array index is negative.");202 }203 free(buffer);204 }205 }206}207208/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */209static void goodG2B2()210{211 int data;212 /* Initialize data */213 data = -1;214 if(STATIC_CONST_TRUE)215 {216 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to217 * access an index of the array in the sink that is out-of-bounds */218 data = 7;219 }220 if(STATIC_CONST_TRUE)221 {222 {223 int i;224 int * buffer = (int *)malloc(10 * sizeof(int));225 if (buffer == NULL) {exit(-1);}226 /* initialize buffer */227 for (i = 0; i < 10; i++)228 {229 buffer[i] = 0;230 }231 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound232 * This code does check to see if the array index is negative */233 if (data >= 0)234 {235 buffer[data] = 1;236 /* Print the array values */237 for(i = 0; i < 10; i++)238 {239 printIntLine(buffer[i]);240 }241 }242 else243 {244 printLine("ERROR: Array index is negative.");245 }246 free(buffer);247 }248 }249}250251void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_04_good()252{253 goodB2G1();254 goodB2G2();255 goodG2B1();256 goodG2B2();257}258259#endif /* OMITGOOD */260261/* Below is the main(). It is only used when building this testcase on262 its own for testing or for building a binary to use in testing binary263 analysis tools. It is not used when compiling all the testcases as one264 application, which is how source code analysis tools are tested. */265266#ifdef INCLUDEMAIN267268int main(int argc, char * argv[])269{270 /* seed randomness */271 srand( (unsigned)time(NULL) );272#ifndef OMITGOOD273 printLine("Calling good()...");274 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_04_good();275 printLine("Finished good()");276#endif /* OMITGOOD */277#ifndef OMITBAD278 printLine("Calling bad()...");279 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_04_bad();280 printLine("Finished bad()");281#endif /* OMITBAD */282 return 0;283}284285#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__new_wchar_t_memmove_06.cpp3Label Definition File: CWE126_Buffer_Overread__new.label.xml4Template File: sources-sink-06.tmpl.cpp5*/6/*7 * @description8 * CWE: 126 Buffer Over-read9 * BadSource: Use a small buffer10 * GoodSource: Use a large buffer11 * Sink: memmove12 * BadSink : Copy data to string using memmove13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The variable below is declared "const", so a tool should be able22 to identify that reads of this will always give its initialized23 value. */24static const int STATIC_CONST_FIVE = 5;2526namespace CWE126_Buffer_Overread__new_wchar_t_memmove_0627{2829#ifndef OMITBAD3031void bad()32{✓ 33 wchar_t * data;✓ 34 data = NULL;✓ 35 if(STATIC_CONST_FIVE==5)36 {37 /* FLAW: Use a small buffer */✓ 38 data = new wchar_t[50];✓ 39 wmemset(data, L'A', 50-1); /* fill with 'A's */✓ 40 data[50-1] = L'\0'; /* null terminate */41 }42 {✓ 43 wchar_t dest[100];✓ 44 wmemset(dest, L'C', 100-1);✓ 45 dest[100-1] = L'\0'; /* null terminate */46 /* POTENTIAL FLAW: using memmove with the length of the dest where data47 * could be smaller than dest causing buffer overread */✓ 48 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN✓ 49 dest[100-1] = L'\0';✓ 50 printWLine(dest);✓ 51 delete [] data;52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */60static void goodG2B1()61{62 wchar_t * data;63 data = NULL;64 if(STATIC_CONST_FIVE!=5)65 {66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */67 printLine("Benign, fixed string");68 }69 else70 {71 /* FIX: Use a large buffer */72 data = new wchar_t[100];73 wmemset(data, L'A', 100-1); /* fill with 'A's */74 data[100-1] = L'\0'; /* null terminate */75 }76 {77 wchar_t dest[100];78 wmemset(dest, L'C', 100-1);79 dest[100-1] = L'\0'; /* null terminate */80 /* POTENTIAL FLAW: using memmove with the length of the dest where data81 * could be smaller than dest causing buffer overread */82 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));83 dest[100-1] = L'\0';84 printWLine(dest);85 delete [] data;86 }87}8889/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */90static void goodG2B2()91{92 wchar_t * data;93 data = NULL;94 if(STATIC_CONST_FIVE==5)95 {96 /* FIX: Use a large buffer */97 data = new wchar_t[100];98 wmemset(data, L'A', 100-1); /* fill with 'A's */99 data[100-1] = L'\0'; /* null terminate */100 }101 {102 wchar_t dest[100];103 wmemset(dest, L'C', 100-1);104 dest[100-1] = L'\0'; /* null terminate */105 /* POTENTIAL FLAW: using memmove with the length of the dest where data106 * could be smaller than dest causing buffer overread */107 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));108 dest[100-1] = L'\0';109 printWLine(dest);110 delete [] data;111 }112}113114void good()115{116 goodG2B1();117 goodG2B2();118}119120#endif /* OMITGOOD */121122} /* close namespace */123124/* Below is the main(). It is only used when building this testcase on125 its own for testing or for building a binary to use in testing binary126 analysis tools. It is not used when compiling all the testcases as one127 application, which is how source code analysis tools are tested. */128129#ifdef INCLUDEMAIN130131using namespace CWE126_Buffer_Overread__new_wchar_t_memmove_06; /* so that we can use good and bad easily */132133int main(int argc, char * argv[])134{135 /* seed randomness */136 srand( (unsigned)time(NULL) );137#ifndef OMITGOOD138 printLine("Calling good()...");139 good();140 printLine("Finished good()");141#endif /* OMITGOOD */142#ifndef OMITBAD143 printLine("Calling bad()...");144 bad();145 printLine("Finished bad()");146#endif /* OMITBAD */147 return 0;148}149150#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_snprintf_32.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-32.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: snprintf12 * BadSink : Copy string to data using snprintf13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifdef _WIN3222#define SNPRINTF _snprintf23#else24#define SNPRINTF snprintf25#endif2627#ifndef OMITBAD2829void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_snprintf_32_bad()30{✓ 31 char * data;✓ 32 char * *dataPtr1 = &data;✓ 33 char * *dataPtr2 = &data;✓ 34 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));✓ 35 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));36 {✓ 37 char * data = *dataPtr1;38 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination39 * buffer in various memory copying functions using a "large" source buffer. */✓ 40 data = dataBadBuffer;✓ 41 data[0] = '\0'; /* null terminate */✓ 42 *dataPtr1 = data;43 }44 {✓ 45 char * data = *dataPtr2;46 {✓ 47 char source[100];✓ 48 memset(source, 'C', 100-1); /* fill with 'C's */✓ 49 source[100-1] = '\0'; /* null terminate */50 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 51 SNPRINTF(data, 100, "%s", source);❗VULN✓ 52 printLine(data);53 }54 }55}5657#endif /* OMITBAD */5859#ifndef OMITGOOD6061/* goodG2B() uses the GoodSource with the BadSink */62static void goodG2B()63{64 char * data;65 char * *dataPtr1 = &data;66 char * *dataPtr2 = &data;67 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));68 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));69 {70 char * data = *dataPtr1;71 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */72 data = dataGoodBuffer;73 data[0] = '\0'; /* null terminate */74 *dataPtr1 = data;75 }76 {77 char * data = *dataPtr2;78 {79 char source[100];80 memset(source, 'C', 100-1); /* fill with 'C's */81 source[100-1] = '\0'; /* null terminate */82 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */83 SNPRINTF(data, 100, "%s", source);84 printLine(data);85 }86 }87}8889void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_snprintf_32_good()90{91 goodG2B();92}9394#endif /* OMITGOOD */9596/* Below is the main(). It is only used when building this testcase on97 * its own for testing or for building a binary to use in testing binary98 * analysis tools. It is not used when compiling all the testcases as one99 * application, which is how source code analysis tools are tested.100 */101#ifdef INCLUDEMAIN102103int main(int argc, char * argv[])104{105 /* seed randomness */106 srand( (unsigned)time(NULL) );107#ifndef OMITGOOD108 printLine("Calling good()...");109 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_snprintf_32_good();110 printLine("Finished good()");111#endif /* OMITGOOD */112#ifndef OMITBAD113 printLine("Calling bad()...");114 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_snprintf_32_bad();115 printLine("Finished bad()");116#endif /* OMITBAD */117 return 0;118}119120#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 21 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__wchar_t_alloca_loop_15.c3Label Definition File: CWE127_Buffer_Underread.stack.label.xml4Template File: sources-sink-15.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy data to string using a loop13 * Flow Variant: 15 Control flow: switch(6)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__wchar_t_alloca_loop_15_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 27 wmemset(dataBuffer, L'A', 100-1);✓ 28 dataBuffer[100-1] = L'\0';✓ 29 switch(6)30 {✓ 31 case 6:32 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 33 data = dataBuffer - 8;✓ 34 break;✓ 35 default:36 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */✓ 37 printLine("Benign, fixed string");✓ 38 break;39 }40 {✓ 41 size_t i;✓ 42 wchar_t dest[100];✓ 43 wmemset(dest, L'C', 100-1); /* fill with 'C's */✓ 44 dest[100-1] = L'\0'; /* null terminate */45 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 46 for (i = 0; i < 100; i++)47 {✓ 48 dest[i] = data[i];❗VULN49 }50 /* Ensure null termination */✓ 51 dest[100-1] = L'\0';✓ 52 printWLine(dest);53 }54}5556#endif /* OMITBAD */5758#ifndef OMITGOOD5960/* goodG2B1() - use goodsource and badsink by changing the switch to switch(5) */61static void goodG2B1()62{63 wchar_t * data;64 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));65 wmemset(dataBuffer, L'A', 100-1);66 dataBuffer[100-1] = L'\0';67 switch(5)68 {69 case 6:70 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */71 printLine("Benign, fixed string");72 break;73 default:74 /* FIX: Set data pointer to the allocated memory buffer */75 data = dataBuffer;76 break;77 }78 {79 size_t i;80 wchar_t dest[100];81 wmemset(dest, L'C', 100-1); /* fill with 'C's */82 dest[100-1] = L'\0'; /* null terminate */83 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */84 for (i = 0; i < 100; i++)85 {86 dest[i] = data[i];87 }88 /* Ensure null termination */89 dest[100-1] = L'\0';90 printWLine(dest);91 }92}9394/* goodG2B2() - use goodsource and badsink by reversing the blocks in the switch */95static void goodG2B2()96{97 wchar_t * data;98 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));99 wmemset(dataBuffer, L'A', 100-1);100 dataBuffer[100-1] = L'\0';101 switch(6)102 {103 case 6:104 /* FIX: Set data pointer to the allocated memory buffer */105 data = dataBuffer;106 break;107 default:108 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */109 printLine("Benign, fixed string");110 break;111 }112 {113 size_t i;114 wchar_t dest[100];115 wmemset(dest, L'C', 100-1); /* fill with 'C's */116 dest[100-1] = L'\0'; /* null terminate */117 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */118 for (i = 0; i < 100; i++)119 {120 dest[i] = data[i];121 }122 /* Ensure null termination */123 dest[100-1] = L'\0';124 printWLine(dest);125 }126}127128void CWE127_Buffer_Underread__wchar_t_alloca_loop_15_good()129{130 goodG2B1();131 goodG2B2();132}133134#endif /* OMITGOOD */135136/* Below is the main(). It is only used when building this testcase on137 * its own for testing or for building a binary to use in testing binary138 * analysis tools. It is not used when compiling all the testcases as one139 * application, which is how source code analysis tools are tested.140 */141142#ifdef INCLUDEMAIN143144int main(int argc, char * argv[])145{146 /* seed randomness */147 srand( (unsigned)time(NULL) );148#ifndef OMITGOOD149 printLine("Calling good()...");150 CWE127_Buffer_Underread__wchar_t_alloca_loop_15_good();151 printLine("Finished good()");152#endif /* OMITGOOD */153#ifndef OMITBAD154 printLine("Calling bad()...");155 CWE127_Buffer_Underread__wchar_t_alloca_loop_15_bad();156 printLine("Finished bad()");157#endif /* OMITBAD */158 return 0;159}160161#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_07.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml4Template File: sources-sink-07.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: memmove12 * BadSink : Copy twoIntsStruct array to data using memmove13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)14 *15 * */1617#include "std_testcase.h"1819/* The variable below is not declared "const", but is never assigned20 * any other value so a tool should be able to identify that reads of21 * this will always give its initialized value.22 */23static int staticFive = 5;2425#ifndef OMITBAD2627void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_07_bad()28{✓ 29 twoIntsStruct * data;✓ 30 twoIntsStruct dataBadBuffer[50];✓ 31 twoIntsStruct dataGoodBuffer[100];✓ 32 if(staticFive==5)33 {34 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination35 * buffer in various memory copying functions using a "large" source buffer. */✓ 36 data = dataBadBuffer;37 }38 {✓ 39 twoIntsStruct source[100];40 {✓ 41 size_t i;42 /* Initialize array */✓ 43 for (i = 0; i < 100; i++)44 {✓ 45 source[i].intOne = 0;✓ 46 source[i].intTwo = 0;47 }48 }49 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 50 memmove(data, source, 100*sizeof(twoIntsStruct));❗VULN✓ 51 printStructLine(&data[0]);52 }53}5455#endif /* OMITBAD */5657#ifndef OMITGOOD5859/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */60static void goodG2B1()61{62 twoIntsStruct * data;63 twoIntsStruct dataBadBuffer[50];64 twoIntsStruct dataGoodBuffer[100];65 if(staticFive!=5)66 {67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */68 printLine("Benign, fixed string");69 }70 else71 {72 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */73 data = dataGoodBuffer;74 }75 {76 twoIntsStruct source[100];77 {78 size_t i;79 /* Initialize array */80 for (i = 0; i < 100; i++)81 {82 source[i].intOne = 0;83 source[i].intTwo = 0;84 }85 }86 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */87 memmove(data, source, 100*sizeof(twoIntsStruct));88 printStructLine(&data[0]);89 }90}9192/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */93static void goodG2B2()94{95 twoIntsStruct * data;96 twoIntsStruct dataBadBuffer[50];97 twoIntsStruct dataGoodBuffer[100];98 if(staticFive==5)99 {100 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */101 data = dataGoodBuffer;102 }103 {104 twoIntsStruct source[100];105 {106 size_t i;107 /* Initialize array */108 for (i = 0; i < 100; i++)109 {110 source[i].intOne = 0;111 source[i].intTwo = 0;112 }113 }114 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */115 memmove(data, source, 100*sizeof(twoIntsStruct));116 printStructLine(&data[0]);117 }118}119120void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_07_good()121{122 goodG2B1();123 goodG2B2();124}125126#endif /* OMITGOOD */127128/* Below is the main(). It is only used when building this testcase on129 * its own for testing or for building a binary to use in testing binary130 * analysis tools. It is not used when compiling all the testcases as one131 * application, which is how source code analysis tools are tested.132 */133134#ifdef INCLUDEMAIN135136int main(int argc, char * argv[])137{138 /* seed randomness */139 srand( (unsigned)time(NULL) );140#ifndef OMITGOOD141 printLine("Calling good()...");142 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_07_good();143 printLine("Finished good()");144#endif /* OMITGOOD */145#ifndef OMITBAD146 printLine("Calling bad()...");147 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_07_bad();148 printLine("Finished bad()");149#endif /* OMITBAD */150 return 0;151}152153#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 44 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE126_Buffer_Overread__CWE129_listen_socket_08.c3Label Definition File: CWE126_Buffer_Overread__CWE129.label.xml4Template File: sources-sinks-08.tmpl.c5*/6/*7 * @description8 * CWE: 126 Buffer Overread9 * BadSource: listen_socket Read data using a listen socket (server side)10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())15 *16 * */1718#include "std_testcase.h"1920#ifdef _WIN3221#include <winsock2.h>22#include <windows.h>23#include <direct.h>24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */25#define CLOSE_SOCKET closesocket26#else27#include <sys/types.h>28#include <sys/socket.h>29#include <netinet/in.h>30#include <arpa/inet.h>31#include <unistd.h>32#define INVALID_SOCKET -133#define SOCKET_ERROR -134#define CLOSE_SOCKET close35#define SOCKET int36#endif3738#define TCP_PORT 2701539#define LISTEN_BACKLOG 540#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)4142/* The two function below always return the same value, so a tool43 should be able to identify that calls to the functions will always44 return a fixed value. */45static int staticReturnsTrue()46{47 return 1;48}4950static int staticReturnsFalse()51{52 return 0;53}5455#ifndef OMITBAD5657void CWE126_Buffer_Overread__CWE129_listen_socket_08_bad()58{✓ 59 int data;60 /* Initialize data */✓ 61 data = -1;✓ 62 if(staticReturnsTrue())63 {64 {65#ifdef _WIN32✓ 66 WSADATA wsaData;✓ 67 int wsaDataInit = 0;68#endif✓ 69 int recvResult;✓ 70 struct sockaddr_in service;✓ 71 SOCKET listenSocket = INVALID_SOCKET;✓ 72 SOCKET acceptSocket = INVALID_SOCKET;✓ 73 char inputBuffer[CHAR_ARRAY_SIZE];74 do75 {76#ifdef _WIN32✓ 77 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)78 {✓ 79 break;80 }✓ 81 wsaDataInit = 1;82#endif83 /* POTENTIAL FLAW: Read data using a listen socket */✓ 84 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);✓ 85 if (listenSocket == INVALID_SOCKET)86 {✓ 87 break;88 }✓ 89 memset(&service, 0, sizeof(service));✓ 90 service.sin_family = AF_INET;✓ 91 service.sin_addr.s_addr = INADDR_ANY;✓ 92 service.sin_port = htons(TCP_PORT);✓ 93 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)94 {✓ 95 break;96 }✓ 97 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)98 {✓ 99 break;100 }✓101 acceptSocket = accept(listenSocket, NULL, NULL);✓102 if (acceptSocket == SOCKET_ERROR)103 {✓104 break;105 }106 /* Abort on error or the connection was closed */✓107 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);✓108 if (recvResult == SOCKET_ERROR || recvResult == 0)109 {✓110 break;111 }112 /* NUL-terminate the string */✓113 inputBuffer[recvResult] = '\0';114 /* Convert to int */✓115 data = atoi(inputBuffer);116 }✓117 while (0);✓118 if (listenSocket != INVALID_SOCKET)119 {✓120 CLOSE_SOCKET(listenSocket);121 }✓122 if (acceptSocket != INVALID_SOCKET)123 {✓124 CLOSE_SOCKET(acceptSocket);125 }126#ifdef _WIN32✓127 if (wsaDataInit)128 {✓129 WSACleanup();130 }131#endif132 }133 }✓134 if(staticReturnsTrue())135 {136 {✓137 int buffer[10] = { 0 };138 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound139 * This check does not check the upper bounds of the array index */✓140 if (data >= 0)141 {✓142 printIntLine(buffer[data]);❗VULN143 }144 else145 {✓146 printLine("ERROR: Array index is negative");147 }148 }149 }150}151152#endif /* OMITBAD */153154#ifndef OMITGOOD155156/* goodB2G1() - use badsource and goodsink by changing the second staticReturnsTrue() to staticReturnsFalse() */157static void goodB2G1()158{159 int data;160 /* Initialize data */161 data = -1;162 if(staticReturnsTrue())163 {164 {165#ifdef _WIN32166 WSADATA wsaData;167 int wsaDataInit = 0;168#endif169 int recvResult;170 struct sockaddr_in service;171 SOCKET listenSocket = INVALID_SOCKET;172 SOCKET acceptSocket = INVALID_SOCKET;173 char inputBuffer[CHAR_ARRAY_SIZE];174 do175 {176#ifdef _WIN32177 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)178 {179 break;180 }181 wsaDataInit = 1;182#endif183 /* POTENTIAL FLAW: Read data using a listen socket */184 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);185 if (listenSocket == INVALID_SOCKET)186 {187 break;188 }189 memset(&service, 0, sizeof(service));190 service.sin_family = AF_INET;191 service.sin_addr.s_addr = INADDR_ANY;192 service.sin_port = htons(TCP_PORT);193 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)194 {195 break;196 }197 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)198 {199 break;200 }201 acceptSocket = accept(listenSocket, NULL, NULL);202 if (acceptSocket == SOCKET_ERROR)203 {204 break;205 }206 /* Abort on error or the connection was closed */207 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);208 if (recvResult == SOCKET_ERROR || recvResult == 0)209 {210 break;211 }212 /* NUL-terminate the string */213 inputBuffer[recvResult] = '\0';214 /* Convert to int */215 data = atoi(inputBuffer);216 }217 while (0);218 if (listenSocket != INVALID_SOCKET)219 {220 CLOSE_SOCKET(listenSocket);221 }222 if (acceptSocket != INVALID_SOCKET)223 {224 CLOSE_SOCKET(acceptSocket);225 }226#ifdef _WIN32227 if (wsaDataInit)228 {229 WSACleanup();230 }231#endif232 }233 }234 if(staticReturnsFalse())235 {236 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */237 printLine("Benign, fixed string");238 }239 else240 {241 {242 int buffer[10] = { 0 };243 /* FIX: Properly validate the array index and prevent a buffer overread */244 if (data >= 0 && data < (10))245 {246 printIntLine(buffer[data]);247 }248 else249 {250 printLine("ERROR: Array index is out-of-bounds");251 }252 }253 }254}255256/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */257static void goodB2G2()258{259 int data;260 /* Initialize data */261 data = -1;262 if(staticReturnsTrue())263 {264 {265#ifdef _WIN32266 WSADATA wsaData;267 int wsaDataInit = 0;268#endif269 int recvResult;270 struct sockaddr_in service;271 SOCKET listenSocket = INVALID_SOCKET;272 SOCKET acceptSocket = INVALID_SOCKET;273 char inputBuffer[CHAR_ARRAY_SIZE];274 do275 {276#ifdef _WIN32277 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)278 {279 break;280 }281 wsaDataInit = 1;282#endif283 /* POTENTIAL FLAW: Read data using a listen socket */284 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);285 if (listenSocket == INVALID_SOCKET)286 {287 break;288 }289 memset(&service, 0, sizeof(service));290 service.sin_family = AF_INET;291 service.sin_addr.s_addr = INADDR_ANY;292 service.sin_port = htons(TCP_PORT);293 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)294 {295 break;296 }297 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)298 {299 break;300 }301 acceptSocket = accept(listenSocket, NULL, NULL);302 if (acceptSocket == SOCKET_ERROR)303 {304 break;305 }306 /* Abort on error or the connection was closed */307 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);308 if (recvResult == SOCKET_ERROR || recvResult == 0)309 {310 break;311 }312 /* NUL-terminate the string */313 inputBuffer[recvResult] = '\0';314 /* Convert to int */315 data = atoi(inputBuffer);316 }317 while (0);318 if (listenSocket != INVALID_SOCKET)319 {320 CLOSE_SOCKET(listenSocket);321 }322 if (acceptSocket != INVALID_SOCKET)323 {324 CLOSE_SOCKET(acceptSocket);325 }326#ifdef _WIN32327 if (wsaDataInit)328 {329 WSACleanup();330 }331#endif332 }333 }334 if(staticReturnsTrue())335 {336 {337 int buffer[10] = { 0 };338 /* FIX: Properly validate the array index and prevent a buffer overread */339 if (data >= 0 && data < (10))340 {341 printIntLine(buffer[data]);342 }343 else344 {345 printLine("ERROR: Array index is out-of-bounds");346 }347 }348 }349}350351/* goodG2B1() - use goodsource and badsink by changing the first staticReturnsTrue() to staticReturnsFalse() */352static void goodG2B1()353{354 int data;355 /* Initialize data */356 data = -1;357 if(staticReturnsFalse())358 {359 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */360 printLine("Benign, fixed string");361 }362 else363 {364 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to365 * access an index of the array in the sink that is out-of-bounds */366 data = 7;367 }368 if(staticReturnsTrue())369 {370 {371 int buffer[10] = { 0 };372 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound373 * This check does not check the upper bounds of the array index */374 if (data >= 0)375 {376 printIntLine(buffer[data]);377 }378 else379 {380 printLine("ERROR: Array index is negative");381 }382 }383 }384}385386/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */387static void goodG2B2()388{389 int data;390 /* Initialize data */391 data = -1;392 if(staticReturnsTrue())393 {394 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to395 * access an index of the array in the sink that is out-of-bounds */396 data = 7;397 }398 if(staticReturnsTrue())399 {400 {401 int buffer[10] = { 0 };402 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound403 * This check does not check the upper bounds of the array index */404 if (data >= 0)405 {406 printIntLine(buffer[data]);407 }408 else409 {410 printLine("ERROR: Array index is negative");411 }412 }413 }414}415416void CWE126_Buffer_Overread__CWE129_listen_socket_08_good()417{418 goodB2G1();419 goodB2G2();420 goodG2B1();421 goodG2B2();422}423424#endif /* OMITGOOD */425426/* Below is the main(). It is only used when building this testcase on427 its own for testing or for building a binary to use in testing binary428 analysis tools. It is not used when compiling all the testcases as one429 application, which is how source code analysis tools are tested. */430431#ifdef INCLUDEMAIN432433int main(int argc, char * argv[])434{435 /* seed randomness */436 srand( (unsigned)time(NULL) );437#ifndef OMITGOOD438 printLine("Calling good()...");439 CWE126_Buffer_Overread__CWE129_listen_socket_08_good();440 printLine("Finished good()");441#endif /* OMITGOOD */442#ifndef OMITBAD443 printLine("Calling bad()...");444 CWE126_Buffer_Overread__CWE129_listen_socket_08_bad();445 printLine("Finished bad()");446#endif /* OMITBAD */447 return 0;448}449450#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__wchar_t_declare_memcpy_04.c3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml4Template File: sources-sink-04.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are declared "const", so a tool should22 * be able to identify that reads of these will always return their23 * initialized values.24 */25static const int STATIC_CONST_TRUE = 1; /* true */26static const int STATIC_CONST_FALSE = 0; /* false */2728#ifndef OMITBAD2930void CWE124_Buffer_Underwrite__wchar_t_declare_memcpy_04_bad()31{✓ 32 wchar_t * data;✓ 33 wchar_t dataBuffer[100];✓ 34 wmemset(dataBuffer, L'A', 100-1);✓ 35 dataBuffer[100-1] = L'\0';✓ 36 if(STATIC_CONST_TRUE)37 {38 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 39 data = dataBuffer - 8;40 }41 {✓ 42 wchar_t source[100];✓ 43 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 44 source[100-1] = L'\0'; /* null terminate */45 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 46 memcpy(data, source, 100*sizeof(wchar_t));❗VULN47 /* Ensure the destination buffer is null terminated */✓ 48 data[100-1] = L'\0';✓ 49 printWLine(data);50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */58static void goodG2B1()59{60 wchar_t * data;61 wchar_t dataBuffer[100];62 wmemset(dataBuffer, L'A', 100-1);63 dataBuffer[100-1] = L'\0';64 if(STATIC_CONST_FALSE)65 {66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */67 printLine("Benign, fixed string");68 }69 else70 {71 /* FIX: Set data pointer to the allocated memory buffer */72 data = dataBuffer;73 }74 {75 wchar_t source[100];76 wmemset(source, L'C', 100-1); /* fill with 'C's */77 source[100-1] = L'\0'; /* null terminate */78 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */79 memcpy(data, source, 100*sizeof(wchar_t));80 /* Ensure the destination buffer is null terminated */81 data[100-1] = L'\0';82 printWLine(data);83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 wchar_t * data;90 wchar_t dataBuffer[100];91 wmemset(dataBuffer, L'A', 100-1);92 dataBuffer[100-1] = L'\0';93 if(STATIC_CONST_TRUE)94 {95 /* FIX: Set data pointer to the allocated memory buffer */96 data = dataBuffer;97 }98 {99 wchar_t source[100];100 wmemset(source, L'C', 100-1); /* fill with 'C's */101 source[100-1] = L'\0'; /* null terminate */102 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */103 memcpy(data, source, 100*sizeof(wchar_t));104 /* Ensure the destination buffer is null terminated */105 data[100-1] = L'\0';106 printWLine(data);107 }108}109110void CWE124_Buffer_Underwrite__wchar_t_declare_memcpy_04_good()111{112 goodG2B1();113 goodG2B2();114}115116#endif /* OMITGOOD */117118/* Below is the main(). It is only used when building this testcase on119 * its own for testing or for building a binary to use in testing binary120 * analysis tools. It is not used when compiling all the testcases as one121 * application, which is how source code analysis tools are tested.122 */123124#ifdef INCLUDEMAIN125126int main(int argc, char * argv[])127{128 /* seed randomness */129 srand( (unsigned)time(NULL) );130#ifndef OMITGOOD131 printLine("Calling good()...");132 CWE124_Buffer_Underwrite__wchar_t_declare_memcpy_04_good();133 printLine("Finished good()");134#endif /* OMITGOOD */135#ifndef OMITBAD136 printLine("Calling bad()...");137 CWE124_Buffer_Underwrite__wchar_t_declare_memcpy_04_bad();138 printLine("Finished bad()");139#endif /* OMITBAD */140 return 0;141}142143#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 15 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE127_Buffer_Underread__malloc_char_cpy_18.c3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml4Template File: sources-sink-18.tmpl.c5*/6/*7 * @description8 * CWE: 127 Buffer Under-read9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: cpy12 * BadSink : Copy data to string using strcpy13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE127_Buffer_Underread__malloc_char_cpy_18_bad()24{✓ 25 char * data;✓ 26 data = NULL;✓ 27 goto source;✓ 28source:29 {✓ 30 char * dataBuffer = (char *)malloc(100*sizeof(char));✓ 31 if (dataBuffer == NULL) {exit(-1);}✓ 32 memset(dataBuffer, 'A', 100-1);✓ 33 dataBuffer[100-1] = '\0';34 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 35 data = dataBuffer - 8;36 }37 {✓ 38 char dest[100*2];✓ 39 memset(dest, 'C', 100*2-1); /* fill with 'C's */✓ 40 dest[100*2-1] = '\0'; /* null terminate */41 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */✓ 42 strcpy(dest, data);❗VULN✓ 43 printLine(dest);44 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location45 * returned by malloc() so can't safely call free() on it */46 }47}4849#endif /* OMITBAD */5051#ifndef OMITGOOD5253/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */54static void goodG2B()55{56 char * data;57 data = NULL;58 goto source;59source:60 {61 char * dataBuffer = (char *)malloc(100*sizeof(char));62 if (dataBuffer == NULL) {exit(-1);}63 memset(dataBuffer, 'A', 100-1);64 dataBuffer[100-1] = '\0';65 /* FIX: Set data pointer to the allocated memory buffer */66 data = dataBuffer;67 }68 {69 char dest[100*2];70 memset(dest, 'C', 100*2-1); /* fill with 'C's */71 dest[100*2-1] = '\0'; /* null terminate */72 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */73 strcpy(dest, data);74 printLine(dest);75 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location76 * returned by malloc() so can't safely call free() on it */77 }78}7980void CWE127_Buffer_Underread__malloc_char_cpy_18_good()81{82 goodG2B();83}8485#endif /* OMITGOOD */8687/* Below is the main(). It is only used when building this testcase on88 * its own for testing or for building a binary to use in testing binary89 * analysis tools. It is not used when compiling all the testcases as one90 * application, which is how source code analysis tools are tested.91 */9293#ifdef INCLUDEMAIN9495int main(int argc, char * argv[])96{97 /* seed randomness */98 srand( (unsigned)time(NULL) );99#ifndef OMITGOOD100 printLine("Calling good()...");101 CWE127_Buffer_Underread__malloc_char_cpy_18_good();102 printLine("Finished good()");103#endif /* OMITGOOD */104#ifndef OMITBAD105 printLine("Calling bad()...");106 CWE127_Buffer_Underread__malloc_char_cpy_18_bad();107 printLine("Finished bad()");108#endif /* OMITBAD */109 return 0;110}111112#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 17 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__new_char_loop_09.cpp3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml4Template File: sources-sink-09.tmpl.cpp5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE124_Buffer_Underwrite__new_char_loop_0922{2324#ifndef OMITBAD2526void bad()27{✓ 28 char * data;✓ 29 data = NULL;✓ 30 if(GLOBAL_CONST_TRUE)31 {32 {✓ 33 char * dataBuffer = new char[100];✓ 34 memset(dataBuffer, 'A', 100-1);✓ 35 dataBuffer[100-1] = '\0';36 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 37 data = dataBuffer - 8;38 }39 }40 {✓ 41 size_t i;✓ 42 char source[100];✓ 43 memset(source, 'C', 100-1); /* fill with 'C's */✓ 44 source[100-1] = '\0'; /* null terminate */45 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 46 for (i = 0; i < 100; i++)47 {✓ 48 data[i] = source[i];❗VULN49 }50 /* Ensure the destination buffer is null terminated */✓ 51 data[100-1] = '\0';✓ 52 printLine(data);53 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location54 * returned by new [] so can't safely call delete [] on it */55 }56}5758#endif /* OMITBAD */5960#ifndef OMITGOOD6162/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */63static void goodG2B1()64{65 char * data;66 data = NULL;67 if(GLOBAL_CONST_FALSE)68 {69 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */70 printLine("Benign, fixed string");71 }72 else73 {74 {75 char * dataBuffer = new char[100];76 memset(dataBuffer, 'A', 100-1);77 dataBuffer[100-1] = '\0';78 /* FIX: Set data pointer to the allocated memory buffer */79 data = dataBuffer;80 }81 }82 {83 size_t i;84 char source[100];85 memset(source, 'C', 100-1); /* fill with 'C's */86 source[100-1] = '\0'; /* null terminate */87 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */88 for (i = 0; i < 100; i++)89 {90 data[i] = source[i];91 }92 /* Ensure the destination buffer is null terminated */93 data[100-1] = '\0';94 printLine(data);95 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location96 * returned by new [] so can't safely call delete [] on it */97 }98}99100/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */101static void goodG2B2()102{103 char * data;104 data = NULL;105 if(GLOBAL_CONST_TRUE)106 {107 {108 char * dataBuffer = new char[100];109 memset(dataBuffer, 'A', 100-1);110 dataBuffer[100-1] = '\0';111 /* FIX: Set data pointer to the allocated memory buffer */112 data = dataBuffer;113 }114 }115 {116 size_t i;117 char source[100];118 memset(source, 'C', 100-1); /* fill with 'C's */119 source[100-1] = '\0'; /* null terminate */120 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */121 for (i = 0; i < 100; i++)122 {123 data[i] = source[i];124 }125 /* Ensure the destination buffer is null terminated */126 data[100-1] = '\0';127 printLine(data);128 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location129 * returned by new [] so can't safely call delete [] on it */130 }131}132133void good()134{135 goodG2B1();136 goodG2B2();137}138139#endif /* OMITGOOD */140141} /* close namespace */142143/* Below is the main(). It is only used when building this testcase on144 its own for testing or for building a binary to use in testing binary145 analysis tools. It is not used when compiling all the testcases as one146 application, which is how source code analysis tools are tested. */147148#ifdef INCLUDEMAIN149150using namespace CWE124_Buffer_Underwrite__new_char_loop_09; /* so that we can use good and bad easily */151152int main(int argc, char * argv[])153{154 /* seed randomness */155 srand( (unsigned)time(NULL) );156#ifndef OMITGOOD157 printLine("Calling good()...");158 good();159 printLine("Finished good()");160#endif /* OMITGOOD */161#ifndef OMITBAD162 printLine("Calling bad()...");163 bad();164 printLine("Finished bad()");165#endif /* OMITBAD */166 return 0;167}168169#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml4Template File: sources-sink-45.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sinks: loop12 * BadSink : Copy string to data using a loop13 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021static wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_badData;22static wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_goodG2BData;2324#ifndef OMITBAD2526static void badSink()27{✓ 28 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_badData;29 {✓ 30 size_t i;✓ 31 wchar_t source[100];✓ 32 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 33 source[100-1] = L'\0'; /* null terminate */34 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 35 for (i = 0; i < 100; i++)36 {✓ 37 data[i] = source[i];❗VULN38 }✓ 39 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 40 printWLine(data);41 }42}4344void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_bad()45{46 wchar_t * data;47 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));48 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));49 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination50 * buffer in various memory copying functions using a "large" source buffer. */51 data = dataBadBuffer;52 data[0] = L'\0'; /* null terminate */53 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_badData = data;54 badSink();55}5657#endif /* OMITBAD */5859#ifndef OMITGOOD6061/* goodG2B() uses the GoodSource with the BadSink */62static void goodG2BSink()63{64 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_goodG2BData;65 {66 size_t i;67 wchar_t source[100];68 wmemset(source, L'C', 100-1); /* fill with L'C's */69 source[100-1] = L'\0'; /* null terminate */70 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */71 for (i = 0; i < 100; i++)72 {73 data[i] = source[i];74 }75 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */76 printWLine(data);77 }78}7980static void goodG2B()81{82 wchar_t * data;83 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));84 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));85 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */86 data = dataGoodBuffer;87 data[0] = L'\0'; /* null terminate */88 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_goodG2BData = data;89 goodG2BSink();90}9192void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_good()93{94 goodG2B();95}9697#endif /* OMITGOOD */9899/* Below is the main(). It is only used when building this testcase on100 * its own for testing or for building a binary to use in testing binary101 * analysis tools. It is not used when compiling all the testcases as one102 * application, which is how source code analysis tools are tested.103 */104#ifdef INCLUDEMAIN105106int main(int argc, char * argv[])107{108 /* seed randomness */109 srand( (unsigned)time(NULL) );110#ifndef OMITGOOD111 printLine("Calling good()...");112 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_good();113 printLine("Finished good()");114#endif /* OMITGOOD */115#ifndef OMITBAD116 printLine("Calling bad()...");117 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_bad();118 printLine("Finished bad()");119#endif /* OMITBAD */120 return 0;121}122123#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 13 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncat_17.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml4Template File: sources-sink-17.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: ncat12 * BadSink : Copy data to string using strncat13 * Flow Variant: 17 Control flow: for loops14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncat_1722{2324#ifndef OMITBAD2526void bad()27{✓ 28 int i;✓ 29 char * data;✓ 30 data = new char[100];✓ 31 for(i = 0; i < 1; i++)32 {33 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */✓ 34 memset(data, 'A', 100-1); /* fill with 'A's */✓ 35 data[100-1] = '\0'; /* null terminate */36 }37 {✓ 38 char dest[50] = "";39 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/✓ 40 strncat(dest, data, strlen(data));❗VULN✓ 41 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 42 printLine(data);✓ 43 delete [] data;44 }45}4647#endif /* OMITBAD */4849#ifndef OMITGOOD5051/* goodG2B() - use goodsource in the for statement */52static void goodG2B()53{54 int h;55 char * data;56 data = new char[100];57 for(h = 0; h < 1; h++)58 {59 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */60 memset(data, 'A', 50-1); /* fill with 'A's */61 data[50-1] = '\0'; /* null terminate */62 }63 {64 char dest[50] = "";65 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/66 strncat(dest, data, strlen(data));67 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */68 printLine(data);69 delete [] data;70 }71}7273void good()74{75 goodG2B();76}7778#endif /* OMITGOOD */7980} /* close namespace */8182/* Below is the main(). It is only used when building this testcase on83 its own for testing or for building a binary to use in testing binary84 analysis tools. It is not used when compiling all the testcases as one85 application, which is how source code analysis tools are tested. */8687#ifdef INCLUDEMAIN8889using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncat_17; /* so that we can use good and bad easily */9091int main(int argc, char * argv[])92{93 /* seed randomness */94 srand( (unsigned)time(NULL) );95#ifndef OMITGOOD96 printLine("Calling good()...");97 good();98 printLine("Finished good()");99#endif /* OMITGOOD */100#ifndef OMITBAD101 printLine("Calling bad()...");102 bad();103 printLine("Finished bad()");104#endif /* OMITBAD */105 return 0;106}107108#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml4Template File: sources-sink-17.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Set data pointer to the bad buffer10 * GoodSource: Set data pointer to the good buffer11 * Sink: cpy12 * BadSink : Copy string to data using strcpy13 * Flow Variant: 17 Control flow: for loops14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17_bad()24{✓ 25 int i;✓ 26 char * data;✓ 27 char dataBadBuffer[50];✓ 28 char dataGoodBuffer[100];✓ 29 for(i = 0; i < 1; i++)30 {31 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination32 * buffer in various memory copying functions using a "large" source buffer. */✓ 33 data = dataBadBuffer;✓ 34 data[0] = '\0'; /* null terminate */35 }36 {✓ 37 char source[100];✓ 38 memset(source, 'C', 100-1); /* fill with 'C's */✓ 39 source[100-1] = '\0'; /* null terminate */40 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */✓ 41 strcpy(data, source);❗VULN✓ 42 printLine(data);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */51static void goodG2B()52{53 int h;54 char * data;55 char dataBadBuffer[50];56 char dataGoodBuffer[100];57 for(h = 0; h < 1; h++)58 {59 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */60 data = dataGoodBuffer;61 data[0] = '\0'; /* null terminate */62 }63 {64 char source[100];65 memset(source, 'C', 100-1); /* fill with 'C's */66 source[100-1] = '\0'; /* null terminate */67 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */68 strcpy(data, source);69 printLine(data);70 }71}7273void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17_good()74{75 goodG2B();76}7778#endif /* OMITGOOD */7980/* Below is the main(). It is only used when building this testcase on81 * its own for testing or for building a binary to use in testing binary82 * analysis tools. It is not used when compiling all the testcases as one83 * application, which is how source code analysis tools are tested.84 */8586#ifdef INCLUDEMAIN8788int main(int argc, char * argv[])89{90 /* seed randomness */91 srand( (unsigned)time(NULL) );92#ifndef OMITGOOD93 printLine("Calling good()...");94 CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17_good();95 printLine("Finished good()");96#endif /* OMITGOOD */97#ifndef OMITBAD98 printLine("Calling bad()...");99 CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17_bad();100 printLine("Finished bad()");101#endif /* OMITBAD */102 return 0;103}104105#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 9 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22a.c3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml4Template File: sources-sink-22a.tmpl.c5*/6/*7 * @description8 * CWE: 121 Stack Based Buffer Overflow9 * BadSource: Initialize data as a large string10 * GoodSource: Initialize data as a small string11 * Sink: ncpy12 * BadSink : Copy data to string using strncpy13 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223/* The global variable below is used to drive control flow in the source function */24int CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_badGlobal = 0;2526char * CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_badSource(char * data);2728void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_bad()29{✓ 30 char * data;✓ 31 char dataBuffer[100];✓ 32 data = dataBuffer;✓ 33 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_badGlobal = 1; /* true */✓ 34 data = CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_badSource(data);35 {✓ 36 char dest[50] = "";37 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */✓ 38 strncpy(dest, data, strlen(data));❗VULN✓ 39 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */✓ 40 printLine(data);41 }42}4344#endif /* OMITBAD */4546#ifndef OMITGOOD4748/* The global variables below are used to drive control flow in the source functions. */49int CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B1Global = 0;50int CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B2Global = 0;5152/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */53char * CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B1Source(char * data);5455static void goodG2B1()56{57 char * data;58 char dataBuffer[100];59 data = dataBuffer;60 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B1Global = 0; /* false */61 data = CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B1Source(data);62 {63 char dest[50] = "";64 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */65 strncpy(dest, data, strlen(data));66 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */67 printLine(data);68 }69}7071/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */72char * CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B2Source(char * data);7374static void goodG2B2()75{76 char * data;77 char dataBuffer[100];78 data = dataBuffer;79 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B2Global = 1; /* true */80 data = CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B2Source(data);81 {82 char dest[50] = "";83 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */84 strncpy(dest, data, strlen(data));85 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */86 printLine(data);87 }88}8990void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_good()91{92 goodG2B1();93 goodG2B2();94}9596#endif /* OMITGOOD */9798/* Below is the main(). It is only used when building this testcase on99 * its own for testing or for building a binary to use in testing binary100 * analysis tools. It is not used when compiling all the testcases as one101 * application, which is how source code analysis tools are tested.102 */103104#ifdef INCLUDEMAIN105106int main(int argc, char * argv[])107{108 /* seed randomness */109 srand( (unsigned)time(NULL) );110#ifndef OMITGOOD111 printLine("Calling good()...");112 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_good();113 printLine("Finished good()");114#endif /* OMITGOOD */115#ifndef OMITBAD116 printLine("Calling bad()...");117 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_bad();118 printLine("Finished bad()");119#endif /* OMITBAD */120 return 0;121}122123#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 12 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_09.c3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml4Template File: sources-sink-09.tmpl.c5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021#ifndef OMITBAD2223void CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_09_bad()24{✓ 25 wchar_t * data;✓ 26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));✓ 27 wmemset(dataBuffer, L'A', 100-1);✓ 28 dataBuffer[100-1] = L'\0';✓ 29 if(GLOBAL_CONST_TRUE)30 {31 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 32 data = dataBuffer - 8;33 }34 {✓ 35 wchar_t source[100];✓ 36 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 37 source[100-1] = L'\0'; /* null terminate */38 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 39 memcpy(data, source, 100*sizeof(wchar_t));❗VULN40 /* Ensure the destination buffer is null terminated */✓ 41 data[100-1] = L'\0';✓ 42 printWLine(data);43 }44}4546#endif /* OMITBAD */4748#ifndef OMITGOOD4950/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */51static void goodG2B1()52{53 wchar_t * data;54 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));55 wmemset(dataBuffer, L'A', 100-1);56 dataBuffer[100-1] = L'\0';57 if(GLOBAL_CONST_FALSE)58 {59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */60 printLine("Benign, fixed string");61 }62 else63 {64 /* FIX: Set data pointer to the allocated memory buffer */65 data = dataBuffer;66 }67 {68 wchar_t source[100];69 wmemset(source, L'C', 100-1); /* fill with 'C's */70 source[100-1] = L'\0'; /* null terminate */71 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */72 memcpy(data, source, 100*sizeof(wchar_t));73 /* Ensure the destination buffer is null terminated */74 data[100-1] = L'\0';75 printWLine(data);76 }77}7879/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */80static void goodG2B2()81{82 wchar_t * data;83 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));84 wmemset(dataBuffer, L'A', 100-1);85 dataBuffer[100-1] = L'\0';86 if(GLOBAL_CONST_TRUE)87 {88 /* FIX: Set data pointer to the allocated memory buffer */89 data = dataBuffer;90 }91 {92 wchar_t source[100];93 wmemset(source, L'C', 100-1); /* fill with 'C's */94 source[100-1] = L'\0'; /* null terminate */95 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */96 memcpy(data, source, 100*sizeof(wchar_t));97 /* Ensure the destination buffer is null terminated */98 data[100-1] = L'\0';99 printWLine(data);100 }101}102103void CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_09_good()104{105 goodG2B1();106 goodG2B2();107}108109#endif /* OMITGOOD */110111/* Below is the main(). It is only used when building this testcase on112 * its own for testing or for building a binary to use in testing binary113 * analysis tools. It is not used when compiling all the testcases as one114 * application, which is how source code analysis tools are tested.115 */116117#ifdef INCLUDEMAIN118119int main(int argc, char * argv[])120{121 /* seed randomness */122 srand( (unsigned)time(NULL) );123#ifndef OMITGOOD124 printLine("Calling good()...");125 CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_09_good();126 printLine("Finished good()");127#endif /* OMITGOOD */128#ifndef OMITBAD129 printLine("Calling bad()...");130 CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_09_bad();131 printLine("Finished bad()");132#endif /* OMITBAD */133 return 0;134}135136#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 22 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_fgets_06.cpp3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129.label.xml4Template File: sources-sinks-06.tmpl.cpp5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: fgets Read data from the console using fgets()10 * GoodSource: Larger than zero but less than 1011 * Sinks:12 * GoodSink: Ensure the array index is valid13 * BadSink : Improperly check the array index by not checking the upper bound14 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)15 *16 * */1718#include "std_testcase.h"1920#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)2122/* The variable below is declared "const", so a tool should be able23 to identify that reads of this will always give its initialized24 value. */25static const int STATIC_CONST_FIVE = 5;2627namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_fgets_0628{2930#ifndef OMITBAD3132void bad()33{✓ 34 int data;35 /* Initialize data */✓ 36 data = -1;✓ 37 if(STATIC_CONST_FIVE==5)38 {39 {✓ 40 char inputBuffer[CHAR_ARRAY_SIZE] = "";41 /* POTENTIAL FLAW: Read data from the console using fgets() */✓ 42 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)43 {44 /* Convert to int */✓ 45 data = atoi(inputBuffer);46 }47 else48 {✓ 49 printLine("fgets() failed.");50 }51 }52 }✓ 53 if(STATIC_CONST_FIVE==5)54 {55 {✓ 56 int i;✓ 57 int * buffer = new int[10];58 /* initialize buffer */✓ 59 for (i = 0; i < 10; i++)60 {✓ 61 buffer[i] = 0;62 }63 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound64 * This code does check to see if the array index is negative */✓ 65 if (data >= 0)66 {✓ 67 buffer[data] = 1;❗VULN68 /* Print the array values */✓ 69 for(i = 0; i < 10; i++)70 {✓ 71 printIntLine(buffer[i]);72 }73 }74 else75 {✓ 76 printLine("ERROR: Array index is negative.");77 }✓ 78 delete[] buffer;79 }80 }81}8283#endif /* OMITBAD */8485#ifndef OMITGOOD8687/* goodB2G1() - use badsource and goodsink by changing the second STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */88static void goodB2G1()89{90 int data;91 /* Initialize data */92 data = -1;93 if(STATIC_CONST_FIVE==5)94 {95 {96 char inputBuffer[CHAR_ARRAY_SIZE] = "";97 /* POTENTIAL FLAW: Read data from the console using fgets() */98 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)99 {100 /* Convert to int */101 data = atoi(inputBuffer);102 }103 else104 {105 printLine("fgets() failed.");106 }107 }108 }109 if(STATIC_CONST_FIVE!=5)110 {111 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */112 printLine("Benign, fixed string");113 }114 else115 {116 {117 int i;118 int * buffer = new int[10];119 /* initialize buffer */120 for (i = 0; i < 10; i++)121 {122 buffer[i] = 0;123 }124 /* FIX: Properly validate the array index and prevent a buffer overflow */125 if (data >= 0 && data < (10))126 {127 buffer[data] = 1;128 /* Print the array values */129 for(i = 0; i < 10; i++)130 {131 printIntLine(buffer[i]);132 }133 }134 else135 {136 printLine("ERROR: Array index is out-of-bounds");137 }138 delete[] buffer;139 }140 }141}142143/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */144static void goodB2G2()145{146 int data;147 /* Initialize data */148 data = -1;149 if(STATIC_CONST_FIVE==5)150 {151 {152 char inputBuffer[CHAR_ARRAY_SIZE] = "";153 /* POTENTIAL FLAW: Read data from the console using fgets() */154 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)155 {156 /* Convert to int */157 data = atoi(inputBuffer);158 }159 else160 {161 printLine("fgets() failed.");162 }163 }164 }165 if(STATIC_CONST_FIVE==5)166 {167 {168 int i;169 int * buffer = new int[10];170 /* initialize buffer */171 for (i = 0; i < 10; i++)172 {173 buffer[i] = 0;174 }175 /* FIX: Properly validate the array index and prevent a buffer overflow */176 if (data >= 0 && data < (10))177 {178 buffer[data] = 1;179 /* Print the array values */180 for(i = 0; i < 10; i++)181 {182 printIntLine(buffer[i]);183 }184 }185 else186 {187 printLine("ERROR: Array index is out-of-bounds");188 }189 delete[] buffer;190 }191 }192}193194/* goodG2B1() - use goodsource and badsink by changing the first STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */195static void goodG2B1()196{197 int data;198 /* Initialize data */199 data = -1;200 if(STATIC_CONST_FIVE!=5)201 {202 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */203 printLine("Benign, fixed string");204 }205 else206 {207 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to208 * access an index of the array in the sink that is out-of-bounds */209 data = 7;210 }211 if(STATIC_CONST_FIVE==5)212 {213 {214 int i;215 int * buffer = new int[10];216 /* initialize buffer */217 for (i = 0; i < 10; i++)218 {219 buffer[i] = 0;220 }221 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound222 * This code does check to see if the array index is negative */223 if (data >= 0)224 {225 buffer[data] = 1;226 /* Print the array values */227 for(i = 0; i < 10; i++)228 {229 printIntLine(buffer[i]);230 }231 }232 else233 {234 printLine("ERROR: Array index is negative.");235 }236 delete[] buffer;237 }238 }239}240241/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */242static void goodG2B2()243{244 int data;245 /* Initialize data */246 data = -1;247 if(STATIC_CONST_FIVE==5)248 {249 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to250 * access an index of the array in the sink that is out-of-bounds */251 data = 7;252 }253 if(STATIC_CONST_FIVE==5)254 {255 {256 int i;257 int * buffer = new int[10];258 /* initialize buffer */259 for (i = 0; i < 10; i++)260 {261 buffer[i] = 0;262 }263 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound264 * This code does check to see if the array index is negative */265 if (data >= 0)266 {267 buffer[data] = 1;268 /* Print the array values */269 for(i = 0; i < 10; i++)270 {271 printIntLine(buffer[i]);272 }273 }274 else275 {276 printLine("ERROR: Array index is negative.");277 }278 delete[] buffer;279 }280 }281}282283void good()284{285 goodB2G1();286 goodB2G2();287 goodG2B1();288 goodG2B2();289}290291#endif /* OMITGOOD */292293} /* close namespace */294295/* Below is the main(). It is only used when building this testcase on296 its own for testing or for building a binary to use in testing binary297 analysis tools. It is not used when compiling all the testcases as one298 application, which is how source code analysis tools are tested. */299300#ifdef INCLUDEMAIN301302using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_fgets_06; /* so that we can use good and bad easily */303304int main(int argc, char * argv[])305{306 /* seed randomness */307 srand( (unsigned)time(NULL) );308#ifndef OMITGOOD309 printLine("Calling good()...");310 good();311 printLine("Finished good()");312#endif /* OMITGOOD */313#ifndef OMITBAD314 printLine("Calling bad()...");315 bad();316 printLine("Finished bad()");317#endif /* OMITBAD */318 return 0;319}320321#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 17 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_16.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml4Template File: sources-sink-16.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: memmove12 * BadSink : Copy twoIntsStruct array to data using memmove13 * Flow Variant: 16 Control flow: while(1)14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_16_bad()22{✓ 23 twoIntsStruct * data;✓ 24 data = NULL;✓ 25 while(1)26 {27 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 28 data = (twoIntsStruct *)malloc(50*sizeof(twoIntsStruct));✓ 29 if (data == NULL) {exit(-1);}✓ 30 break;31 }32 {✓ 33 twoIntsStruct source[100];34 {✓ 35 size_t i;36 /* Initialize array */✓ 37 for (i = 0; i < 100; i++)38 {✓ 39 source[i].intOne = 0;✓ 40 source[i].intTwo = 0;41 }42 }43 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */✓ 44 memmove(data, source, 100*sizeof(twoIntsStruct));❗VULN✓ 45 printStructLine(&data[0]);✓ 46 free(data);47 }48}4950#endif /* OMITBAD */5152#ifndef OMITGOOD5354/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */55static void goodG2B()56{57 twoIntsStruct * data;58 data = NULL;59 while(1)60 {61 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */62 data = (twoIntsStruct *)malloc(100*sizeof(twoIntsStruct));63 if (data == NULL) {exit(-1);}64 break;65 }66 {67 twoIntsStruct source[100];68 {69 size_t i;70 /* Initialize array */71 for (i = 0; i < 100; i++)72 {73 source[i].intOne = 0;74 source[i].intTwo = 0;75 }76 }77 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */78 memmove(data, source, 100*sizeof(twoIntsStruct));79 printStructLine(&data[0]);80 free(data);81 }82}8384void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_16_good()85{86 goodG2B();87}8889#endif /* OMITGOOD */9091/* Below is the main(). It is only used when building this testcase on92 * its own for testing or for building a binary to use in testing binary93 * analysis tools. It is not used when compiling all the testcases as one94 * application, which is how source code analysis tools are tested.95 */9697#ifdef INCLUDEMAIN9899int main(int argc, char * argv[])100{101 /* seed randomness */102 srand( (unsigned)time(NULL) );103#ifndef OMITGOOD104 printLine("Calling good()...");105 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_16_good();106 printLine("Finished good()");107#endif /* OMITGOOD */108#ifndef OMITBAD109 printLine("Calling bad()...");110 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_16_bad();111 printLine("Finished bad()");112#endif /* OMITBAD */113 return 0;114}115116#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 14 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_memcpy_05.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml4Template File: sources-sink-05.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate using malloc() and set data pointer to a small buffer10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer11 * Sink: memcpy12 * BadSink : Copy string to data using memcpy13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021/* The two variables below are not defined as "const", but are never22 * assigned any other value, so a tool should be able to identify that23 * reads of these will always return their initialized values.24 */25static int staticTrue = 1; /* true */26static int staticFalse = 0; /* false */2728#ifndef OMITBAD2930void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_memcpy_05_bad()31{✓ 32 wchar_t * data;✓ 33 data = NULL;✓ 34 if(staticTrue)35 {36 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */✓ 37 data = (wchar_t *)malloc(50*sizeof(wchar_t));✓ 38 if (data == NULL) {exit(-1);}✓ 39 data[0] = L'\0'; /* null terminate */40 }41 {✓ 42 wchar_t source[100];✓ 43 wmemset(source, L'C', 100-1); /* fill with L'C's */✓ 44 source[100-1] = L'\0'; /* null terminate */45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */✓ 46 memcpy(data, source, 100*sizeof(wchar_t));❗VULN✓ 47 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */✓ 48 printWLine(data);✓ 49 free(data);50 }51}5253#endif /* OMITBAD */5455#ifndef OMITGOOD5657/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */58static void goodG2B1()59{60 wchar_t * data;61 data = NULL;62 if(staticFalse)63 {64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */65 printLine("Benign, fixed string");66 }67 else68 {69 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */70 data = (wchar_t *)malloc(100*sizeof(wchar_t));71 if (data == NULL) {exit(-1);}72 data[0] = L'\0'; /* null terminate */73 }74 {75 wchar_t source[100];76 wmemset(source, L'C', 100-1); /* fill with L'C's */77 source[100-1] = L'\0'; /* null terminate */78 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */79 memcpy(data, source, 100*sizeof(wchar_t));80 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */81 printWLine(data);82 free(data);83 }84}8586/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */87static void goodG2B2()88{89 wchar_t * data;90 data = NULL;91 if(staticTrue)92 {93 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */94 data = (wchar_t *)malloc(100*sizeof(wchar_t));95 if (data == NULL) {exit(-1);}96 data[0] = L'\0'; /* null terminate */97 }98 {99 wchar_t source[100];100 wmemset(source, L'C', 100-1); /* fill with L'C's */101 source[100-1] = L'\0'; /* null terminate */102 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */103 memcpy(data, source, 100*sizeof(wchar_t));104 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */105 printWLine(data);106 free(data);107 }108}109110void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_memcpy_05_good()111{112 goodG2B1();113 goodG2B2();114}115116#endif /* OMITGOOD */117118/* Below is the main(). It is only used when building this testcase on119 * its own for testing or for building a binary to use in testing binary120 * analysis tools. It is not used when compiling all the testcases as one121 * application, which is how source code analysis tools are tested.122 */123124#ifdef INCLUDEMAIN125126int main(int argc, char * argv[])127{128 /* seed randomness */129 srand( (unsigned)time(NULL) );130#ifndef OMITGOOD131 printLine("Calling good()...");132 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_memcpy_05_good();133 printLine("Finished good()");134#endif /* OMITGOOD */135#ifndef OMITBAD136 printLine("Calling bad()...");137 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_memcpy_05_bad();138 printLine("Finished bad()");139#endif /* OMITBAD */140 return 0;141}142143#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 11 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_memcpy_18.c3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml4Template File: sources-sink-18.tmpl.c5*/6/*7 * @description8 * CWE: 122 Heap Based Buffer Overflow9 * BadSource: Allocate memory without using sizeof(int)10 * GoodSource: Allocate memory using sizeof(int)11 * Sink: memcpy12 * BadSink : Copy array to data using memcpy()13 * Flow Variant: 18 Control flow: goto statements14 *15 * */1617#include "std_testcase.h"1819#ifndef OMITBAD2021void CWE122_Heap_Based_Buffer_Overflow__CWE131_memcpy_18_bad()22{✓ 23 int * data;✓ 24 data = NULL;✓ 25 goto source;✓ 26source:27 /* FLAW: Allocate memory without using sizeof(int) */✓ 28 data = (int *)malloc(10);✓ 29 if (data == NULL) {exit(-1);}30 {✓ 31 int source[10] = {0};32 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */✓ 33 memcpy(data, source, 10*sizeof(int));❗VULN✓ 34 printIntLine(data[0]);✓ 35 free(data);36 }37}3839#endif /* OMITBAD */4041#ifndef OMITGOOD4243/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */44static void goodG2B()45{46 int * data;47 data = NULL;48 goto source;49source:50 /* FIX: Allocate memory using sizeof(int) */51 data = (int *)malloc(10*sizeof(int));52 if (data == NULL) {exit(-1);}53 {54 int source[10] = {0};55 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */56 memcpy(data, source, 10*sizeof(int));57 printIntLine(data[0]);58 free(data);59 }60}6162void CWE122_Heap_Based_Buffer_Overflow__CWE131_memcpy_18_good()63{64 goodG2B();65}6667#endif /* OMITGOOD */6869/* Below is the main(). It is only used when building this testcase on70 * its own for testing or for building a binary to use in testing binary71 * analysis tools. It is not used when compiling all the testcases as one72 * application, which is how source code analysis tools are tested.73 */7475#ifdef INCLUDEMAIN7677int main(int argc, char * argv[])78{79 /* seed randomness */80 srand( (unsigned)time(NULL) );81#ifndef OMITGOOD82 printLine("Calling good()...");83 CWE122_Heap_Based_Buffer_Overflow__CWE131_memcpy_18_good();84 printLine("Finished good()");85#endif /* OMITGOOD */86#ifndef OMITBAD87 printLine("Calling bad()...");88 CWE122_Heap_Based_Buffer_Overflow__CWE131_memcpy_18_bad();89 printLine("Finished bad()");90#endif /* OMITBAD */91 return 0;92}9394#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Nodes: 16 | Sink Nodes: 1 predicted, 1 actual
Lines are highlighted based on model predictions. Hover over highlighted lines for details.
1/* TEMPLATE GENERATED TESTCASE FILE2Filename: CWE124_Buffer_Underwrite__new_wchar_t_cpy_12.cpp3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml4Template File: sources-sink-12.tmpl.cpp5*/6/*7 * @description8 * CWE: 124 Buffer Underwrite9 * BadSource: Set data pointer to before the allocated memory buffer10 * GoodSource: Set data pointer to the allocated memory buffer11 * Sink: cpy12 * BadSink : Copy string to data using wcscpy13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())14 *15 * */1617#include "std_testcase.h"1819#include <wchar.h>2021namespace CWE124_Buffer_Underwrite__new_wchar_t_cpy_1222{2324#ifndef OMITBAD2526void bad()27{✓ 28 wchar_t * data;✓ 29 data = NULL;✓ 30 if(globalReturnsTrueOrFalse())31 {32 {✓ 33 wchar_t * dataBuffer = new wchar_t[100];✓ 34 wmemset(dataBuffer, L'A', 100-1);✓ 35 dataBuffer[100-1] = L'\0';36 /* FLAW: Set data pointer to before the allocated memory buffer */✓ 37 data = dataBuffer - 8;38 }39 }40 else41 {42 {✓ 43 wchar_t * dataBuffer = new wchar_t[100];✓ 44 wmemset(dataBuffer, L'A', 100-1);✓ 45 dataBuffer[100-1] = L'\0';46 /* FIX: Set data pointer to the allocated memory buffer */✓ 47 data = dataBuffer;48 }49 }50 {✓ 51 wchar_t source[100];✓ 52 wmemset(source, L'C', 100-1); /* fill with 'C's */✓ 53 source[100-1] = L'\0'; /* null terminate */54 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */✓ 55 wcscpy(data, source);❗VULN✓ 56 printWLine(data);57 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location58 * returned by new [] so can't safely call delete [] on it */59 }60}6162#endif /* OMITBAD */6364#ifndef OMITGOOD6566/* goodG2B() - use goodsource and badsink by changing the "if" so that67 both branches use the GoodSource */68static void goodG2B()69{70 wchar_t * data;71 data = NULL;72 if(globalReturnsTrueOrFalse())73 {74 {75 wchar_t * dataBuffer = new wchar_t[100];76 wmemset(dataBuffer, L'A', 100-1);77 dataBuffer[100-1] = L'\0';78 /* FIX: Set data pointer to the allocated memory buffer */79 data = dataBuffer;80 }81 }82 else83 {84 {85 wchar_t * dataBuffer = new wchar_t[100];86 wmemset(dataBuffer, L'A', 100-1);87 dataBuffer[100-1] = L'\0';88 /* FIX: Set data pointer to the allocated memory buffer */89 data = dataBuffer;90 }91 }92 {93 wchar_t source[100];94 wmemset(source, L'C', 100-1); /* fill with 'C's */95 source[100-1] = L'\0'; /* null terminate */96 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */97 wcscpy(data, source);98 printWLine(data);99 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location100 * returned by new [] so can't safely call delete [] on it */101 }102}103104void good()105{106 goodG2B();107}108109#endif /* OMITGOOD */110111} /* close namespace */112113/* Below is the main(). It is only used when building this testcase on114 its own for testing or for building a binary to use in testing binary115 analysis tools. It is not used when compiling all the testcases as one116 application, which is how source code analysis tools are tested. */117118#ifdef INCLUDEMAIN119120using namespace CWE124_Buffer_Underwrite__new_wchar_t_cpy_12; /* so that we can use good and bad easily */121122int main(int argc, char * argv[])123{124 /* seed randomness */125 srand( (unsigned)time(NULL) );126#ifndef OMITGOOD127 printLine("Calling good()...");128 good();129 printLine("Finished good()");130#endif /* OMITGOOD */131#ifndef OMITBAD132 printLine("Calling bad()...");133 bad();134 printLine("Finished bad()");135#endif /* OMITBAD */136 return 0;137}138139#endif
Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.
Simplified view showing just node numbers. Hover for details.
Accuracy
0.9957
F1-Macro
0.9849
Precision
0.9733
Recall
0.9972